diff options
| author | fordprefect | 2020-04-03 20:41:50 +0200 |
|---|---|---|
| committer | fordprefect | 2020-04-03 20:41:50 +0200 |
| commit | 8c588743cfffb6e32c951f6d6a83f35e5b7b51fe (patch) | |
| tree | 3f6718e94b6c63a4f42efbcd6cc43cc1003d0a3c | |
| parent | 5cba5b0a5f858d04b3c32e9423b47845cc834b17 (diff) | |
| download | aur-8c588743cfffb6e32c951f6d6a83f35e5b7b51fe.tar.gz | |
2.4.43
| -rw-r--r-- | .SRCINFO | 10 | ||||
| -rw-r--r-- | PKGBUILD | 11 | ||||
| -rw-r--r-- | httpd-2.4.23-openssl11.patch | 1307 |
3 files changed, 7 insertions, 1321 deletions
@@ -1,8 +1,6 @@ -# Generated by mksrcinfo v8 -# Fri Aug 16 09:45:09 UTC 2019 pkgbase = apache-tools pkgdesc = Useful Apache tools - htdigest, htpasswd, ab, htdbm - pkgver = 2.4.41 + pkgver = 2.4.43 pkgrel = 1 url = http://httpd.apache.org/ arch = i686 @@ -15,12 +13,10 @@ pkgbase = apache-tools depends = apr-util depends = pcre conflicts = apache - source = http://www.apache.org/dist/httpd/httpd-2.4.41.tar.bz2 + source = http://www.apache.org/dist/httpd/httpd-2.4.43.tar.bz2 source = apache-tools-Makefile.patch - source = httpd-2.4.23-openssl11.patch - sha256sums = 133d48298fe5315ae9366a0ec66282fa4040efa5d566174481077ade7d18ea40 + sha256sums = a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 sha256sums = 2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f - sha256sums = e87409c13feb2abd66d88cdb8c88c2cc408491adb7fd6793025a3ad2d6599a60 pkgname = apache-tools @@ -3,7 +3,7 @@ # Contributor: Pavel Larev <pavel@larev.ws> pkgname=apache-tools -pkgver=2.4.41 +pkgver=2.4.43 pkgrel=1 pkgdesc="Useful Apache tools - htdigest, htpasswd, ab, htdbm" arch=("i686" "x86_64" "armv6h" "armv7h" "aarch64") @@ -13,16 +13,13 @@ depends=("apr-util" "pcre") makedepends=("apr-util") conflicts=(apache) source=(http://www.apache.org/dist/httpd/httpd-$pkgver.tar.bz2 - $pkgname-Makefile.patch - httpd-2.4.23-openssl11.patch) -sha256sums=('133d48298fe5315ae9366a0ec66282fa4040efa5d566174481077ade7d18ea40' - '2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f' - 'e87409c13feb2abd66d88cdb8c88c2cc408491adb7fd6793025a3ad2d6599a60') + $pkgname-Makefile.patch) +sha256sums=('a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43' + '2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f') prepare() { cd httpd-$pkgver/ patch -p1 -i ../$pkgname-Makefile.patch - #patch -p1 -i ../httpd-2.4.23-openssl11.patch } build() { diff --git a/httpd-2.4.23-openssl11.patch b/httpd-2.4.23-openssl11.patch deleted file mode 100644 index 006ac7049f1e..000000000000 --- a/httpd-2.4.23-openssl11.patch +++ /dev/null @@ -1,1307 +0,0 @@ -diff --git a/acinclude.m4 b/acinclude.m4 -index dd0e2ea..907fbe8 100644 ---- a/acinclude.m4 -+++ b/acinclude.m4 -@@ -579,7 +579,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[ - dnl Run library and function checks - liberrors="" - AC_CHECK_HEADERS([openssl/engine.h]) -- AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) -+ AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"]) - AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd]) - if test "x$liberrors" != "x"; then - AC_MSG_WARN([OpenSSL libraries are unusable]) -diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c -index 9e63a7d..adc90d1 100644 ---- a/modules/ssl/mod_ssl.c -+++ b/modules/ssl/mod_ssl.c -@@ -312,7 +312,13 @@ static apr_status_t ssl_cleanup_pre_config(void *data) - #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES - ENGINE_cleanup(); - #endif -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL -+ ERR_remove_thread_state(NULL); -+#else - ERR_remove_state(0); -+#endif -+#endif - - /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only - * actually loaded the error strings once per process due to static -@@ -342,7 +348,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - CRYPTO_malloc_init(); -+#else -+ OPENSSL_malloc_init(); -+#endif - ERR_load_crypto_strings(); - SSL_load_error_strings(); - SSL_library_init(); -diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index cb3efa2..ba79ef3 100644 ---- a/modules/ssl/ssl_engine_init.c -+++ b/modules/ssl/ssl_engine_init.c -@@ -47,21 +47,50 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, - #define KEYTYPES "RSA or DSA" - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+/* OpenSSL Pre-1.1.0 compatibility */ -+/* Taken from OpenSSL 1.1.0 snapshot 20160410 */ -+static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* q is optional */ -+ if (p == NULL || g == NULL) -+ return 0; -+ BN_free(dh->p); -+ BN_free(dh->q); -+ BN_free(dh->g); -+ dh->p = p; -+ dh->q = q; -+ dh->g = g; -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits(q); -+ } -+ -+ return 1; -+} -+#endif -+ - /* -- * Grab well-defined DH parameters from OpenSSL, see the get_rfc* -+ * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* - * functions in <openssl/bn.h> for all available primes. - */ --static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen) -+static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *)) - { - DH *dh = DH_new(); -+ BIGNUM *p, *g; - - if (!dh) { - return NULL; - } -- dh->p = prime(NULL); -- BN_dec2bn(&dh->g, gen); -- if (!dh->p || !dh->g) { -+ p = prime(NULL); -+ g = BN_new(); -+ if (g != NULL) { -+ BN_set_word(g, 2); -+ } -+ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) { - DH_free(dh); -+ BN_free(p); -+ BN_free(g); - return NULL; - } - return dh; -@@ -73,12 +102,12 @@ static struct dhparam { - DH *dh; /* ...this, used for keys.... */ - const unsigned int min; /* ...of length >= this. */ - } dhparams[] = { -- { get_rfc3526_prime_8192, NULL, 6145 }, -- { get_rfc3526_prime_6144, NULL, 4097 }, -- { get_rfc3526_prime_4096, NULL, 3073 }, -- { get_rfc3526_prime_3072, NULL, 2049 }, -- { get_rfc3526_prime_2048, NULL, 1025 }, -- { get_rfc2409_prime_1024, NULL, 0 } -+ { BN_get_rfc3526_prime_8192, NULL, 6145 }, -+ { BN_get_rfc3526_prime_6144, NULL, 4097 }, -+ { BN_get_rfc3526_prime_4096, NULL, 3073 }, -+ { BN_get_rfc3526_prime_3072, NULL, 2049 }, -+ { BN_get_rfc3526_prime_2048, NULL, 1025 }, -+ { BN_get_rfc2409_prime_1024, NULL, 0 } - }; - - static void init_dh_params(void) -@@ -86,7 +115,7 @@ static void init_dh_params(void) - unsigned n; - - for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++) -- dhparams[n].dh = make_dh_params(dhparams[n].prime, "2"); -+ dhparams[n].dh = make_dh_params(dhparams[n].prime); - } - - static void free_dh_params(void) -@@ -153,7 +182,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, - "Init: this version of mod_ssl was compiled against " - "a newer library (%s, version currently loaded is %s)" - " - may result in undefined or erroneous behavior", -- MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION)); -+ MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT); - } - - /* We initialize mc->pid per-process in the child init, -@@ -228,9 +257,11 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, - #endif - } - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - #if APR_HAS_THREADS - ssl_util_thread_setup(p); - #endif -+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ - - /* - * SSL external crypto device ("engine") support -@@ -351,6 +382,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, - modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ - - init_dh_params(); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ init_bio_methods(); -+#endif - - return OK; - } -@@ -481,6 +515,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, - char *cp; - int protocol = mctx->protocol; - SSLSrvConfigRec *sc = mySrvConfig(s); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ int prot; -+#endif - - /* - * Create the new per-server SSL context -@@ -506,6 +543,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, - ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, - "Creating new SSL context (protocols: %s)", cp); - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - #ifndef OPENSSL_NO_SSL3 - if (protocol == SSL_PROTOCOL_SSLV3) { - method = mctx->pkp ? -@@ -536,12 +574,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, - SSLv23_client_method() : /* proxy */ - SSLv23_server_method(); /* server */ - } -+#else -+ method = mctx->pkp ? -+ TLS_client_method() : /* proxy */ -+ TLS_server_method(); /* server */ -+#endif - ctx = SSL_CTX_new(method); - - mctx->ssl_ctx = ctx; - - SSL_CTX_set_options(ctx, SSL_OP_ALL); - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - /* always disable SSLv2, as per RFC 6176 */ - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); - -@@ -565,6 +609,43 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, - } - #endif - -+#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ /* We first determine the maximum protocol version we should provide */ -+ if (protocol & SSL_PROTOCOL_TLSV1_2) { -+ prot = TLS1_2_VERSION; -+ } else if (protocol & SSL_PROTOCOL_TLSV1_1) { -+ prot = TLS1_1_VERSION; -+ } else if (protocol & SSL_PROTOCOL_TLSV1) { -+ prot = TLS1_VERSION; -+#ifndef OPENSSL_NO_SSL3 -+ } else if (protocol & SSL_PROTOCOL_SSLV3) { -+ prot = SSL3_VERSION; -+#endif -+ } else { -+ SSL_CTX_free(ctx); -+ mctx->ssl_ctx = NULL; -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) -+ "No SSL protocols available [hint: SSLProtocol]"); -+ return ssl_die(s); -+ } -+ SSL_CTX_set_max_proto_version(ctx, prot); -+ -+ /* Next we scan for the minimal protocol version we should provide, -+ * but we do not allow holes between max and min */ -+ if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { -+ prot = TLS1_1_VERSION; -+ } -+ if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { -+ prot = TLS1_VERSION; -+ } -+#ifndef OPENSSL_NO_SSL3 -+ if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) { -+ prot = SSL3_VERSION; -+ } -+#endif -+ SSL_CTX_set_min_proto_version(ctx, prot); -+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ - #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - if (sc->cipher_server_pref == TRUE) { - SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); -@@ -858,7 +939,7 @@ static int use_certificate_chain( - unsigned long err; - int n; - -- if ((bio = BIO_new(BIO_s_file_internal())) == NULL) -+ if ((bio = BIO_new(BIO_s_file())) == NULL) - return -1; - if (BIO_read_filename(bio, file) <= 0) { - BIO_free(bio); -@@ -1200,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, - SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) - "Custom DH parameters (%d bits) for %s loaded from %s", -- BN_num_bits(dhparams->p), vhost_id, certfile); -+ DH_bits(dhparams), vhost_id, certfile); - DH_free(dhparams); - } - -@@ -1721,7 +1802,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) - "an OpenSSL version with support for TLS extensions " - "(RFC 6066 - Server Name Indication / SNI), " - "but the currently used library version (%s) is " -- "lacking this feature", SSLeay_version(SSLEAY_VERSION)); -+ "lacking this feature", MODSSL_LIBRARY_DYNTEXT); - } - #endif - -@@ -1917,6 +1998,9 @@ apr_status_t ssl_init_ModuleKill(void *data) - ssl_init_ctx_cleanup(sc->server); - } - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ free_bio_methods(); -+#endif - free_dh_params(); - - return APR_SUCCESS; -diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c -index 82953ad..b463e1a 100644 ---- a/modules/ssl/ssl_engine_io.c -+++ b/modules/ssl/ssl_engine_io.c -@@ -149,7 +149,7 @@ static int bio_filter_out_pass(bio_filter_out_ctx_t *outctx) - * success, -1 on failure. */ - static int bio_filter_out_flush(BIO *bio) - { -- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); -+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); - apr_bucket *e; - - AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb)); -@@ -162,10 +162,16 @@ static int bio_filter_out_flush(BIO *bio) - - static int bio_filter_create(BIO *bio) - { -- bio->shutdown = 1; -- bio->init = 1; -+ BIO_set_shutdown(bio, 1); -+ BIO_set_init(bio, 1); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ /* No setter method for OpenSSL 1.1.0 available, -+ * but I can't find any functional use of the -+ * "num" field there either. -+ */ - bio->num = -1; -- bio->ptr = NULL; -+#endif -+ BIO_set_data(bio, NULL); - - return 1; - } -@@ -190,7 +196,7 @@ static int bio_filter_out_read(BIO *bio, char *out, int outl) - - static int bio_filter_out_write(BIO *bio, const char *in, int inl) - { -- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); -+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); - apr_bucket *e; - int need_flush; - -@@ -241,7 +247,7 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl) - static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) - { - long ret = 1; -- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); -+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); - - switch (cmd) { - case BIO_CTRL_RESET: -@@ -257,10 +263,10 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) - ret = 0; - break; - case BIO_CTRL_GET_CLOSE: -- ret = (long)bio->shutdown; -+ ret = (long)BIO_get_shutdown(bio); - break; - case BIO_CTRL_SET_CLOSE: -- bio->shutdown = (int)num; -+ BIO_set_shutdown(bio, (int)num); - break; - case BIO_CTRL_FLUSH: - ret = bio_filter_out_flush(bio); -@@ -294,19 +300,6 @@ static int bio_filter_out_puts(BIO *bio, const char *str) - return -1; - } - --static BIO_METHOD bio_filter_out_method = { -- BIO_TYPE_MEM, -- "APR output filter", -- bio_filter_out_write, -- bio_filter_out_read, /* read is never called */ -- bio_filter_out_puts, /* puts is never called */ -- bio_filter_out_gets, /* gets is never called */ -- bio_filter_out_ctrl, -- bio_filter_create, -- bio_filter_destroy, -- NULL --}; -- - typedef struct { - int length; - char *value; -@@ -456,7 +449,7 @@ static apr_status_t brigade_consume(apr_bucket_brigade *bb, - static int bio_filter_in_read(BIO *bio, char *in, int inlen) - { - apr_size_t inl = inlen; -- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr); -+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); - apr_read_type_e block = inctx->block; - - inctx->rc = APR_SUCCESS; -@@ -536,20 +529,86 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) - return -1; - } - -+static int bio_filter_in_write(BIO *bio, const char *in, int inl) -+{ -+ return -1; -+} -+ -+static int bio_filter_in_puts(BIO *bio, const char *str) -+{ -+ return -1; -+} -+ -+static int bio_filter_in_gets(BIO *bio, char *buf, int size) -+{ -+ return -1; -+} -+ -+static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) -+{ -+ return -1; -+} -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+static BIO_METHOD bio_filter_out_method = { -+ BIO_TYPE_MEM, -+ "APR output filter", -+ bio_filter_out_write, -+ bio_filter_out_read, /* read is never called */ -+ bio_filter_out_puts, /* puts is never called */ -+ bio_filter_out_gets, /* gets is never called */ -+ bio_filter_out_ctrl, -+ bio_filter_create, -+ bio_filter_destroy, -+ NULL -+}; - - static BIO_METHOD bio_filter_in_method = { - BIO_TYPE_MEM, - "APR input filter", -- NULL, /* write is never called */ -+ bio_filter_in_write, /* write is never called */ - bio_filter_in_read, -- NULL, /* puts is never called */ -- NULL, /* gets is never called */ -- NULL, /* ctrl is never called */ -+ bio_filter_in_puts, /* puts is never called */ -+ bio_filter_in_gets, /* gets is never called */ -+ bio_filter_in_ctrl, /* ctrl is never called */ - bio_filter_create, - bio_filter_destroy, - NULL - }; - -+#else -+ -+static BIO_METHOD *bio_filter_out_method = NULL; -+static BIO_METHOD *bio_filter_in_method = NULL; -+ -+void init_bio_methods(void) -+{ -+ bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter"); -+ BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write); -+ BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read is never called */ -+ BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts is never called */ -+ BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets is never called */ -+ BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl); -+ BIO_meth_set_create(bio_filter_out_method, &bio_filter_create); -+ BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy); -+ -+ bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter"); -+ BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write is never called */ -+ BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read); -+ BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts); /* puts is never called */ -+ BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets); /* gets is never called */ -+ BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl); /* ctrl is never called */ -+ BIO_meth_set_create(bio_filter_in_method, &bio_filter_create); -+ BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy); -+} -+ -+void free_bio_methods(void) -+{ -+ BIO_meth_free(bio_filter_out_method); -+ BIO_meth_free(bio_filter_in_method); -+} -+#endif - - static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx, - char *buf, -@@ -789,7 +848,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, - */ - ERR_clear_error(); - -- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; -+ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite); - res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len); - - if (res < 0) { -@@ -1267,9 +1326,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) - - if ((n = SSL_accept(filter_ctx->pssl)) <= 0) { - bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *) -- (filter_ctx->pbioRead->ptr); -+ BIO_get_data(filter_ctx->pbioRead); - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *) -- (filter_ctx->pbioWrite->ptr); -+ BIO_get_data(filter_ctx->pbioWrite); - apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ; - ssl_err = SSL_get_error(filter_ctx->pssl, n); - -@@ -1682,8 +1741,8 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, - return ap_pass_brigade(f->next, bb); - } - -- inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr; -- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; -+ inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead); -+ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite); - - /* When we are the writer, we must initialize the inctx - * mode so that we block for any required ssl input, because -@@ -1964,8 +2023,12 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, - - filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c); - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); -- filter_ctx->pbioRead->ptr = (void *)inctx; -+#else -+ filter_ctx->pbioRead = BIO_new(bio_filter_in_method); -+#endif -+ BIO_set_data(filter_ctx->pbioRead, (void *)inctx); - - inctx->ssl = ssl; - inctx->bio_out = filter_ctx->pbioWrite; -@@ -1995,8 +2058,12 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, SSL *ssl) - filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, - filter_ctx, r, c); - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); -- filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c); -+#else -+ filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); -+#endif -+ BIO_set_data(filter_ctx->pbioWrite, (void *)bio_filter_out_ctx_new(filter_ctx, c)); - - /* write is non blocking for the benefit of async mpm */ - if (c->cs) { -diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c -index d4459a2..da2776f 100644 ---- a/modules/ssl/ssl_engine_kernel.c -+++ b/modules/ssl/ssl_engine_kernel.c -@@ -80,7 +80,7 @@ static apr_status_t upgrade_connection(request_rec *r) - SSL_set_accept_state(ssl); - SSL_do_handshake(ssl); - -- if (SSL_get_state(ssl) != SSL_ST_OK) { -+ if (!SSL_is_init_finished(ssl)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) - "TLS upgrade handshake failed"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); -@@ -114,6 +114,7 @@ static int has_buffered_data(request_rec *r) - return result; - } - -+#ifdef HAVE_TLSEXT - static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) - { - int i; -@@ -215,6 +216,7 @@ static int ssl_server_compatible(server_rec *s1, server_rec *s2) - - return 1; - } -+#endif - - /* - * Post Read Request Handler -@@ -432,7 +434,7 @@ int ssl_hook_Access(request_rec *r) - X509 *cert; - X509 *peercert; - X509_STORE *cert_store = NULL; -- X509_STORE_CTX cert_store_ctx; -+ X509_STORE_CTX *cert_store_ctx; - STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; - const SSL_CIPHER *cipher = NULL; - int depth, verify_old, verify, n, is_slave = 0; -@@ -456,7 +458,7 @@ int ssl_hook_Access(request_rec *r) - * forbidden in the latter case, let ap_die() handle - * this recursive (same) error. - */ -- if (SSL_get_state(ssl) != SSL_ST_OK) { -+ if (!SSL_is_init_finished(ssl)) { - return HTTP_FORBIDDEN; - } - ctx = SSL_get_SSL_CTX(ssl); -@@ -622,7 +624,7 @@ int ssl_hook_Access(request_rec *r) - !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list)); - n++) - { -- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); -+ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); - - if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) { - renegotiate = TRUE; -@@ -633,7 +635,7 @@ int ssl_hook_Access(request_rec *r) - !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old)); - n++) - { -- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); -+ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); - - if (sk_SSL_CIPHER_find(cipher_list, value) < 0) { - renegotiate = TRUE; -@@ -914,25 +916,27 @@ int ssl_hook_Access(request_rec *r) - cert = sk_X509_value(cert_stack, 0); - } - -- X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack); -+ cert_store_ctx = X509_STORE_CTX_new(); -+ X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack); - depth = SSL_get_verify_depth(ssl); - - if (depth >= 0) { -- X509_STORE_CTX_set_depth(&cert_store_ctx, depth); -+ X509_STORE_CTX_set_depth(cert_store_ctx, depth); - } - -- X509_STORE_CTX_set_ex_data(&cert_store_ctx, -+ X509_STORE_CTX_set_ex_data(cert_store_ctx, - SSL_get_ex_data_X509_STORE_CTX_idx(), - (char *)ssl); - -- if (!X509_verify_cert(&cert_store_ctx)) { -+ if (!X509_verify_cert(cert_store_ctx)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224) - "Re-negotiation verification step failed"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); - } - -- SSL_set_verify_result(ssl, cert_store_ctx.error); -- X509_STORE_CTX_cleanup(&cert_store_ctx); -+ SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx)); -+ X509_STORE_CTX_cleanup(cert_store_ctx); -+ X509_STORE_CTX_free(cert_store_ctx); - - if (cert_stack != SSL_get_peer_cert_chain(ssl)) { - /* we created this ourselves, so free it */ -@@ -940,6 +944,7 @@ int ssl_hook_Access(request_rec *r) - } - } - else { -+ char peekbuf[1]; - const char *reneg_support; - request_rec *id = r->main ? r->main : r; - -@@ -983,7 +988,7 @@ int ssl_hook_Access(request_rec *r) - SSL_renegotiate(ssl); - SSL_do_handshake(ssl); - -- if (SSL_get_state(ssl) != SSL_ST_OK) { -+ if (!SSL_is_init_finished(ssl)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225) - "Re-negotiation request failed"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); -@@ -999,16 +1004,15 @@ int ssl_hook_Access(request_rec *r) - * However, this causes failures in perl-framework currently, - * perhaps pre-test if we have already negotiated? - */ --#ifdef OPENSSL_NO_SSL_INTERN -- SSL_set_state(ssl, SSL_ST_ACCEPT); --#else -- ssl->state = SSL_ST_ACCEPT; --#endif -- SSL_do_handshake(ssl); -+ /* Need to trigger renegotiation handshake by reading. -+ * Peeking 0 bytes actually works. -+ * See: http://marc.info/?t=145493359200002&r=1&w=2 -+ */ -+ SSL_peek(ssl, peekbuf, 0); - - sslconn->reneg_state = RENEG_REJECT; - -- if (SSL_get_state(ssl) != SSL_ST_OK) { -+ if (!SSL_is_init_finished(ssl)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) - "Re-negotiation handshake failed"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); -@@ -1513,7 +1517,11 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) - SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER); - #endif - pkey = SSL_get_privatekey(ssl); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; -+#else -+ type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; -+#endif - - /* - * OpenSSL will call us with either keylen == 512 or keylen == 1024 -@@ -1725,11 +1733,19 @@ static void modssl_proxy_info_log(conn_rec *c, - * so we need to increment here to prevent them from - * being freed. - */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - #define modssl_set_cert_info(info, cert, pkey) \ - *cert = info->x509; \ - CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ - *pkey = info->x_pkey->dec_pkey; \ - CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY) -+#else -+#define modssl_set_cert_info(info, cert, pkey) \ -+ *cert = info->x509; \ -+ X509_up_ref(*cert); \ -+ *pkey = info->x_pkey->dec_pkey; \ -+ EVP_PKEY_up_ref(*pkey); -+#endif - - int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) - { -@@ -1823,7 +1839,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) - - static void ssl_session_log(server_rec *s, - const char *request, -- unsigned char *id, -+ IDCONST unsigned char *id, - unsigned int idlen, - const char *status, - const char *result, -@@ -1863,7 +1879,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session) - SSLSrvConfigRec *sc = mySrvConfig(s); - long timeout = sc->session_cache_timeout; - BOOL rc; -- unsigned char *id; -+ IDCONST unsigned char *id; - unsigned int idlen; - - /* -@@ -1907,7 +1923,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session) - * of our other Apache pre-forked server processes. - */ - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, -- unsigned char *id, -+ IDCONST unsigned char *id, - int idlen, int *do_copy) - { - /* Get Apache context back through OpenSSL context */ -@@ -1946,7 +1962,7 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx, - { - server_rec *s; - SSLSrvConfigRec *sc; -- unsigned char *id; -+ IDCONST unsigned char *id; - unsigned int idlen; - - /* -@@ -2067,15 +2083,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) - /* If the reneg state is to reject renegotiations, check the SSL - * state machine and move to ABORT if a Client Hello is being - * read. */ -- if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { -- int state = SSL_get_state((SSL *)ssl); -- -- if (state == SSL3_ST_SR_CLNT_HELLO_A -- || state == SSL23_ST_SR_CLNT_HELLO_A) { -+ if (!scr->is_proxy && -+ (where & SSL_CB_HANDSHAKE_START) && -+ scr->reneg_state == RENEG_REJECT) { - scr->reneg_state = RENEG_ABORT; - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) - "rejecting client initiated renegotiation"); -- } - } - /* If the first handshake is complete, change state to reject any - * subsequent client-initiated renegotiation. */ -@@ -2279,7 +2292,7 @@ int ssl_callback_SessionTicket(SSL *ssl, - } - - memcpy(keyname, ticket_key->key_name, 16); -- RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH); -+ RAND_bytes(iv, EVP_MAX_IV_LENGTH); - EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, - ticket_key->aes_key, iv); - HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); -@@ -2416,17 +2429,27 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) - SRP_user_pwd *u; - - if (username == NULL -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) { -+#else -+ || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) { -+#endif - *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; - return SSL3_AL_FATAL; - } - - if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) { -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ SRP_user_pwd_free(u); -+#endif - *ad = SSL_AD_INTERNAL_ERROR; - return SSL3_AL_FATAL; - } - - /* reset all other options */ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ SRP_user_pwd_free(u); -+#endif - SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); - return SSL_ERROR_NONE; - } -diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c -index f295651..282a2a2 100644 ---- a/modules/ssl/ssl_engine_ocsp.c -+++ b/modules/ssl/ssl_engine_ocsp.c -@@ -109,7 +109,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert, - { - OCSP_REQUEST *req = OCSP_REQUEST_new(); - -- *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer); -+ *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx)); - if (!*certid || !OCSP_request_add0_id(req, *certid)) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921) - "could not retrieve certificate id"); -@@ -184,7 +184,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, - - if (rc == V_OCSP_CERTSTATUS_GOOD) { - /* TODO: allow flags configuration. */ -- if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) { -+ if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925) - "failed to verify the OCSP response"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); -@@ -262,7 +262,7 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, - "No cert available to check with OCSP"); - return 1; - } -- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { -+ else if (X509_check_issued(cert,cert) == X509_V_OK) { - /* don't do OCSP checking for valid self-issued certs */ - ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, - "Skipping OCSP check for valid self-issued cert"); -diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c -index 036cb36..42c22b0 100644 ---- a/modules/ssl/ssl_engine_vars.c -+++ b/modules/ssl/ssl_engine_vars.c -@@ -380,7 +380,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, - char buf[MODSSL_SESSION_ID_STRING_LEN]; - SSL_SESSION *pSession = SSL_get_session(ssl); - if (pSession) { -- unsigned char *id; -+ IDCONST unsigned char *id; - unsigned int idlen; - - #ifdef OPENSSL_NO_SSL_INTERN -@@ -545,13 +545,25 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, - resdup = FALSE; - } - else if (strcEQ(var, "A_SIG")) { -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); -+#else -+ ASN1_OBJECT *paobj; -+ X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs)); -+ nid = OBJ_obj2nid(paobj); -+#endif - result = apr_pstrdup(p, - (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); - resdup = FALSE; - } - else if (strcEQ(var, "A_KEY")) { -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm)); -+#else -+ ASN1_OBJECT *paobj; -+ X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs)); -+ nid = OBJ_obj2nid(paobj); -+#endif - result = apr_pstrdup(p, - (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); - resdup = FALSE; -@@ -613,11 +625,8 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char * - for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) { - if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen) - && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) { -- for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *) -- xsname->entries); -- j++) { -- xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *) -- xsname->entries, j); -+ for (j = 0; j < X509_NAME_entry_count(xsname); j++) { -+ xsne = X509_NAME_get_entry(xsname, j); - - n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); - -@@ -919,7 +928,6 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var) - static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, - X509_NAME *xn, apr_pool_t *p) - { -- STACK_OF(X509_NAME_ENTRY) *ents = xn->entries; - X509_NAME_ENTRY *xsne; - apr_hash_t *count; - int i, nid; -@@ -929,10 +937,9 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, - count = apr_hash_make(p); - - /* For each RDN... */ -- for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) { -+ for (i = 0; i < X509_NAME_entry_count(xn); i++) { - const char *tag; -- -- xsne = sk_X509_NAME_ENTRY_value(ents, i); -+ xsne = X509_NAME_get_entry(xn, i); - - /* Retrieve the nid, and check whether this is one of the nids - * which are to be extracted. */ -@@ -1106,7 +1113,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, - for (j = 0; j < count; j++) { - X509_EXTENSION *ext = X509_get_ext(xs, j); - -- if (OBJ_cmp(ext->object, oid) == 0) { -+ if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { - BIO *bio = BIO_new(BIO_s_mem()); - - /* We want to obtain a string representation of the extensions -diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h -index 7813e41..08de3a1 100644 ---- a/modules/ssl/ssl_private.h -+++ b/modules/ssl/ssl_private.h -@@ -135,6 +135,13 @@ - #define HAVE_SSL_CONF_CMD - #endif - -+/* session id constness */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define IDCONST -+#else -+#define IDCONST const -+#endif -+ - /** - * The following features all depend on TLS extension support. - * Within this block, check again for features (not version numbers). -@@ -151,6 +158,8 @@ - /* OCSP stapling */ - #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) - #define HAVE_OCSP_STAPLING -+/* All exist but are no longer macros since OpenSSL 1.1.0 */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - /* backward compatibility with OpenSSL < 1.0 */ - #ifndef sk_OPENSSL_STRING_num - #define sk_OPENSSL_STRING_num sk_num -@@ -161,7 +170,8 @@ - #ifndef sk_OPENSSL_STRING_pop - #define sk_OPENSSL_STRING_pop sk_pop - #endif --#endif -+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ -+#endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */ - - /* TLS session tickets */ - #if defined(SSL_CTX_set_tlsext_ticket_key_cb) -@@ -189,6 +199,36 @@ - - #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 -+#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 -+#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 -+#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048 -+#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072 -+#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096 -+#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144 -+#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192 -+#define BIO_set_init(x,v) (x->init=v) -+#define BIO_get_data(x) (x->ptr) -+#define BIO_set_data(x,v) (x->ptr=v) -+#define BIO_get_shutdown(x) (x->shutdown) -+#define BIO_set_shutdown(x,v) (x->shutdown=v) -+#define DH_bits(x) (BN_num_bits(x->p)) -+#else -+void init_bio_methods(void); -+void free_bio_methods(void); -+#endif -+ -+#if OPENSSL_VERSION_NUMBER < 0x10002000L -+#define X509_STORE_CTX_get0_store(x) (x->ctx) -+#endif -+ -+#if OPENSSL_VERSION_NUMBER < 0x10000000L -+#ifndef X509_STORE_CTX_get0_current_issuer -+#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer) -+#endif -+#endif -+ - /* mod_ssl headers */ - #include "ssl_util_ssl.h" - -@@ -454,12 +494,12 @@ typedef struct { - * partial fix for CVE-2009-3555. */ - enum { - RENEG_INIT = 0, /* Before initial handshake */ -- RENEG_REJECT, /* After initial handshake; any client-initiated -- * renegotiation should be rejected */ -- RENEG_ALLOW, /* A server-initiated renegotiation is taking -- * place (as dictated by configuration) */ -- RENEG_ABORT /* Renegotiation initiated by client, abort the -- * connection */ -+ RENEG_REJECT, /* After initial handshake; any client-initiated -+ * renegotiation should be rejected */ -+ RENEG_ALLOW, /* A server-initiated renegotiation is taking -+ * place (as dictated by configuration) */ -+ RENEG_ABORT /* Renegotiation initiated by client, abort the -+ * connection */ - } reneg_state; - - server_rec *server; -@@ -810,7 +850,7 @@ int ssl_callback_SSLVerify(int, X509_STORE_CTX *); - int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); - int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); - int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); --SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); -+SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *); - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); - void ssl_callback_Info(const SSL *, int, int); - #ifdef HAVE_TLSEXT -@@ -831,10 +871,10 @@ int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out, - apr_status_t ssl_scache_init(server_rec *, apr_pool_t *); - void ssl_scache_status_register(apr_pool_t *p); - void ssl_scache_kill(server_rec *); --BOOL ssl_scache_store(server_rec *, UCHAR *, int, -+BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, - apr_time_t, SSL_SESSION *, apr_pool_t *); --SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *); --void ssl_scache_remove(server_rec *, UCHAR *, int, -+SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *); -+void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, - apr_pool_t *); - - /** Proxy Support */ -@@ -882,7 +922,9 @@ void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); - char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, - const char * const *); - BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - void ssl_util_thread_setup(apr_pool_t *); -+#endif - int ssl_init_ssl_connection(conn_rec *c, request_rec *r); - - BOOL ssl_util_vhost_matches(const char *servername, server_rec *s); -diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c -index 70d1877..7b4a203 100644 ---- a/modules/ssl/ssl_scache.c -+++ b/modules/ssl/ssl_scache.c -@@ -110,7 +110,7 @@ void ssl_scache_kill(server_rec *s) - - } - --BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, -+BOOL ssl_scache_store(server_rec *s, IDCONST UCHAR *id, int idlen, - apr_time_t expiry, SSL_SESSION *sess, - apr_pool_t *p) - { -@@ -144,7 +144,7 @@ BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, - return rv == APR_SUCCESS ? TRUE : FALSE; - } - --SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen, -+SSL_SESSION *ssl_scache_retrieve(server_rec *s, IDCONST UCHAR *id, int idlen, - apr_pool_t *p) - { - SSLModConfigRec *mc = myModConfig(s); -@@ -173,7 +173,7 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen, - return d2i_SSL_SESSION(NULL, &ptr, destlen); - } - --void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen, -+void ssl_scache_remove(server_rec *s, IDCONST UCHAR *id, int idlen, - apr_pool_t *p) - { - SSLModConfigRec *mc = myModConfig(s); -diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c -index ddde3c7..052d23e 100644 ---- a/modules/ssl/ssl_util.c -+++ b/modules/ssl/ssl_util.c -@@ -247,6 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *table, - } - - #if APR_HAS_THREADS -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - /* - * To ensure thread-safetyness in OpenSSL - work in progress - */ -@@ -362,6 +363,28 @@ static void ssl_dyn_destroy_function(struct CRYPTO_dynlock_value *l, - apr_pool_destroy(l->pool); - } - -+#if OPENSSL_VERSION_NUMBER >= 0x10000000L -+ -+static void ssl_util_thr_id(CRYPTO_THREADID *id) -+{ -+ /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread -+ * id is a structure twice that big. Use the TCB pointer instead as a -+ * unique unsigned long. -+ */ -+#ifdef __MVS__ -+ struct PSA { -+ char unmapped[540]; /* PSATOLD is at offset 540 in the PSA */ -+ unsigned long PSATOLD; -+ } *psaptr = 0; /* PSA is at address 0 */ -+ -+ CRYPTO_THREADID_set_numeric(id, psaptr->PSATOLD); -+#else -+ CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current()); -+#endif -+} -+ -+#else -+ - static unsigned long ssl_util_thr_id(void) - { - /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread -@@ -380,10 +403,16 @@ static unsigned long ssl_util_thr_id(void) - #endif - } - -+#endif -+ - static apr_status_t ssl_util_thread_cleanup(void *data) - { - CRYPTO_set_locking_callback(NULL); -+#if OPENSSL_VERSION_NUMBER >= 0x10000000L -+ CRYPTO_THREADID_set_callback(NULL); -+#else - CRYPTO_set_id_callback(NULL); -+#endif - - CRYPTO_set_dynlock_create_callback(NULL); - CRYPTO_set_dynlock_lock_callback(NULL); -@@ -407,7 +436,11 @@ void ssl_util_thread_setup(apr_pool_t *p) - apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p); - } - -+#if OPENSSL_VERSION_NUMBER >= 0x10000000L -+ CRYPTO_THREADID_set_callback(ssl_util_thr_id); -+#else - CRYPTO_set_id_callback(ssl_util_thr_id); -+#endif - - CRYPTO_set_locking_callback(ssl_util_thr_lock); - -@@ -422,4 +455,5 @@ void ssl_util_thread_setup(apr_pool_t *p) - apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup, - apr_pool_cleanup_null); - } --#endif -+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ -+#endif /* #if APR_HAS_THREADS */ -diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c -index a7607c7..9807592 100644 ---- a/modules/ssl/ssl_util_ssl.c -+++ b/modules/ssl/ssl_util_ssl.c -@@ -488,7 +488,7 @@ EC_GROUP *ssl_ec_GetParamFromFile(const char *file) - ** _________________________________________________________________ - */ - --char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen, -+char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen, - char *str, int strsize) - { - if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH) -diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h -index 5f74831..4f18f91 100644 ---- a/modules/ssl/ssl_util_ssl.h -+++ b/modules/ssl/ssl_util_ssl.h -@@ -41,7 +41,11 @@ - #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER - #define MODSSL_LIBRARY_NAME "OpenSSL" - #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) -+#else -+#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) -+#endif - - /** - * Maximum length of a DER encoded session. -@@ -67,7 +71,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsn - char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); - BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); - BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); --char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int); -+char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); - - #endif /* __SSL_UTIL_SSL_H__ */ - /** @} */ -diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c -index 413e40f..718a291 100644 ---- a/modules/ssl/ssl_util_stapling.c -+++ b/modules/ssl/ssl_util_stapling.c -@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) - X509 *issuer = NULL; - int i; - X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx); -- X509_STORE_CTX inctx; -+ X509_STORE_CTX *inctx; - STACK_OF(X509) *extra_certs = NULL; - - #ifdef OPENSSL_NO_SSL_INTERN -@@ -91,18 +91,23 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) - for (i = 0; i < sk_X509_num(extra_certs); i++) { - issuer = sk_X509_value(extra_certs, i); - if (X509_check_issued(issuer, x) == X509_V_OK) { -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); -+#else -+ X509_up_ref(issuer); -+#endif - return issuer; - } - } - -- if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL)) -+ inctx = X509_STORE_CTX_new(); -+ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) - return 0; -- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0) -+ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) - issuer = NULL; -- X509_STORE_CTX_cleanup(&inctx); -+ X509_STORE_CTX_cleanup(inctx); -+ X509_STORE_CTX_free(inctx); - return issuer; -- - } - - int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, -@@ -398,7 +403,9 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, - - if (bio) { - int n; -- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) && -+ ASN1_INTEGER *pserial; -+ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid); -+ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) && - ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0)) - snum[n] = '\0'; - BIO_free(bio); -diff --git a/support/ab.c b/support/ab.c -index 072d2e6..3d61b2d 100644 ---- a/support/ab.c -+++ b/support/ab.c -@@ -2165,6 +2165,14 @@ int main(int argc, const char * const argv[]) - apr_getopt_t *opt; - const char *opt_arg; - char c; -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ int max_prot = TLS1_2_VERSION; -+#ifndef OPENSSL_NO_SSL3 -+ int min_prot = SSL3_VERSION; -+#else -+ int min_prot = TLS1_VERSION; -+#endif -+#endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */ - #ifdef USE_SSL - AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method(); - #endif -@@ -2391,6 +2399,7 @@ int main(int argc, const char * const argv[]) - method_str[CUSTOM_METHOD] = strdup(opt_arg); - break; - case 'f': -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (strncasecmp(opt_arg, "ALL", 3) == 0) { - meth = SSLv23_client_method(); - #ifndef OPENSSL_NO_SSL2 -@@ -2416,6 +2425,31 @@ int main(int argc, const char * const argv[]) - } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { - meth = TLSv1_client_method(); - } -+#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ meth = TLS_client_method(); -+ if (strncasecmp(opt_arg, "ALL", 3) == 0) { -+ max_prot = TLS1_2_VERSION; -+#ifndef OPENSSL_NO_SSL3 -+ min_prot = SSL3_VERSION; -+#else -+ min_prot = TLS1_VERSION; -+#endif -+#ifndef OPENSSL_NO_SSL3 -+ } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { -+ max_prot = SSL3_VERSION; -+ min_prot = SSL3_VERSION; -+#endif -+ } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { -+ max_prot = TLS1_1_VERSION; -+ min_prot = TLS1_1_VERSION; -+ } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) { -+ max_prot = TLS1_2_VERSION; -+ min_prot = TLS1_2_VERSION; -+ } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { -+ max_prot = TLS1_VERSION; -+ min_prot = TLS1_VERSION; -+ } -+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ - break; - #ifdef HAVE_TLSEXT - case 'I': -@@ -2465,7 +2499,11 @@ int main(int argc, const char * const argv[]) - #ifdef RSAREF - R_malloc_init(); - #else -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - CRYPTO_malloc_init(); -+#else -+ OPENSSL_malloc_init(); -+#endif - #endif - SSL_load_error_strings(); - SSL_library_init(); -@@ -2478,6 +2516,10 @@ int main(int argc, const char * const argv[]) - exit(1); - } - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ SSL_CTX_set_max_proto_version(ssl_ctx, max_prot); -+ SSL_CTX_set_min_proto_version(ssl_ctx, min_prot); -+#endif - #ifdef SSL_MODE_RELEASE_BUFFERS - /* Keep memory usage as low as possible */ - SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); |