diff options
author | G. Schlisio | 2017-05-12 09:30:12 +0200 |
---|---|---|
committer | G. Schlisio | 2017-05-12 09:30:12 +0200 |
commit | f2f3cdd762a3b4119746d7d0305009333142d9bd (patch) | |
tree | f74c5216b731e6624a69bf14c339444bbc3e2dfe | |
parent | 60eca00cd121386f39a845287f91e9feb18af677 (diff) | |
download | aur-f2f3cdd762a3b4119746d7d0305009333142d9bd.tar.gz |
added patch for openssl1.1
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | PKGBUILD | 9 | ||||
-rw-r--r-- | httpd-2.4.23-openssl11.patch | 1307 |
3 files changed, 1316 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = apache-tools pkgdesc = Useful Apache tools - htdigest, htpasswd, ab, htdbm pkgver = 2.4.25 - pkgrel = 1 + pkgrel = 2 url = http://httpd.apache.org/ arch = i686 arch = x86_64 @@ -14,8 +14,10 @@ pkgbase = apache-tools conflicts = apache source = http://www.apache.org/dist/httpd/httpd-2.4.25.tar.bz2 source = apache-tools-Makefile.patch + source = httpd-2.4.23-openssl11.patch sha256sums = f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2 sha256sums = 2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f + sha256sums = e87409c13feb2abd66d88cdb8c88c2cc408491adb7fd6793025a3ad2d6599a60 pkgname = apache-tools @@ -4,7 +4,7 @@ pkgname=apache-tools pkgver=2.4.25 -pkgrel=1 +pkgrel=2 pkgdesc="Useful Apache tools - htdigest, htpasswd, ab, htdbm" arch=("i686" "x86_64" "armv6h" "armv7h") url="http://httpd.apache.org/" @@ -13,13 +13,16 @@ depends=("apr-util" "pcre") makedepends=("apr-util") conflicts=(apache) source=(http://www.apache.org/dist/httpd/httpd-$pkgver.tar.bz2 - $pkgname-Makefile.patch) + $pkgname-Makefile.patch + httpd-2.4.23-openssl11.patch) sha256sums=('f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2' - '2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f') + '2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f' + 'e87409c13feb2abd66d88cdb8c88c2cc408491adb7fd6793025a3ad2d6599a60') prepare() { cd httpd-$pkgver/ patch -p1 -i ../$pkgname-Makefile.patch + patch -p1 -i ../httpd-2.4.23-openssl11.patch } build() { diff --git a/httpd-2.4.23-openssl11.patch b/httpd-2.4.23-openssl11.patch new file mode 100644 index 000000000000..006ac7049f1e --- /dev/null +++ b/httpd-2.4.23-openssl11.patch @@ -0,0 +1,1307 @@ +diff --git a/acinclude.m4 b/acinclude.m4 +index dd0e2ea..907fbe8 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -579,7 +579,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[ + dnl Run library and function checks + liberrors="" + AC_CHECK_HEADERS([openssl/engine.h]) +- AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) ++ AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"]) + AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd]) + if test "x$liberrors" != "x"; then + AC_MSG_WARN([OpenSSL libraries are unusable]) +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c +index 9e63a7d..adc90d1 100644 +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -312,7 +312,13 @@ static apr_status_t ssl_cleanup_pre_config(void *data) + #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES + ENGINE_cleanup(); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x1000000fL ++ ERR_remove_thread_state(NULL); ++#else + ERR_remove_state(0); ++#endif ++#endif + + /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only + * actually loaded the error strings once per process due to static +@@ -342,7 +348,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, + /* We must register the library in full, to ensure our configuration + * code can successfully test the SSL environment. + */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_malloc_init(); ++#else ++ OPENSSL_malloc_init(); ++#endif + ERR_load_crypto_strings(); + SSL_load_error_strings(); + SSL_library_init(); +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index cb3efa2..ba79ef3 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -47,21 +47,50 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, + #define KEYTYPES "RSA or DSA" + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++/* OpenSSL Pre-1.1.0 compatibility */ ++/* Taken from OpenSSL 1.1.0 snapshot 20160410 */ ++static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* q is optional */ ++ if (p == NULL || g == NULL) ++ return 0; ++ BN_free(dh->p); ++ BN_free(dh->q); ++ BN_free(dh->g); ++ dh->p = p; ++ dh->q = q; ++ dh->g = g; ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++#endif ++ + /* +- * Grab well-defined DH parameters from OpenSSL, see the get_rfc* ++ * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* + * functions in <openssl/bn.h> for all available primes. + */ +-static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen) ++static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *)) + { + DH *dh = DH_new(); ++ BIGNUM *p, *g; + + if (!dh) { + return NULL; + } +- dh->p = prime(NULL); +- BN_dec2bn(&dh->g, gen); +- if (!dh->p || !dh->g) { ++ p = prime(NULL); ++ g = BN_new(); ++ if (g != NULL) { ++ BN_set_word(g, 2); ++ } ++ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) { + DH_free(dh); ++ BN_free(p); ++ BN_free(g); + return NULL; + } + return dh; +@@ -73,12 +102,12 @@ static struct dhparam { + DH *dh; /* ...this, used for keys.... */ + const unsigned int min; /* ...of length >= this. */ + } dhparams[] = { +- { get_rfc3526_prime_8192, NULL, 6145 }, +- { get_rfc3526_prime_6144, NULL, 4097 }, +- { get_rfc3526_prime_4096, NULL, 3073 }, +- { get_rfc3526_prime_3072, NULL, 2049 }, +- { get_rfc3526_prime_2048, NULL, 1025 }, +- { get_rfc2409_prime_1024, NULL, 0 } ++ { BN_get_rfc3526_prime_8192, NULL, 6145 }, ++ { BN_get_rfc3526_prime_6144, NULL, 4097 }, ++ { BN_get_rfc3526_prime_4096, NULL, 3073 }, ++ { BN_get_rfc3526_prime_3072, NULL, 2049 }, ++ { BN_get_rfc3526_prime_2048, NULL, 1025 }, ++ { BN_get_rfc2409_prime_1024, NULL, 0 } + }; + + static void init_dh_params(void) +@@ -86,7 +115,7 @@ static void init_dh_params(void) + unsigned n; + + for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++) +- dhparams[n].dh = make_dh_params(dhparams[n].prime, "2"); ++ dhparams[n].dh = make_dh_params(dhparams[n].prime); + } + + static void free_dh_params(void) +@@ -153,7 +182,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + "Init: this version of mod_ssl was compiled against " + "a newer library (%s, version currently loaded is %s)" + " - may result in undefined or erroneous behavior", +- MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION)); ++ MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT); + } + + /* We initialize mc->pid per-process in the child init, +@@ -228,9 +257,11 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + #endif + } + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #if APR_HAS_THREADS + ssl_util_thread_setup(p); + #endif ++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ + + /* + * SSL external crypto device ("engine") support +@@ -351,6 +382,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ + + init_dh_params(); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ init_bio_methods(); ++#endif + + return OK; + } +@@ -481,6 +515,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + char *cp; + int protocol = mctx->protocol; + SSLSrvConfigRec *sc = mySrvConfig(s); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ int prot; ++#endif + + /* + * Create the new per-server SSL context +@@ -506,6 +543,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, + "Creating new SSL context (protocols: %s)", cp); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #ifndef OPENSSL_NO_SSL3 + if (protocol == SSL_PROTOCOL_SSLV3) { + method = mctx->pkp ? +@@ -536,12 +574,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + SSLv23_client_method() : /* proxy */ + SSLv23_server_method(); /* server */ + } ++#else ++ method = mctx->pkp ? ++ TLS_client_method() : /* proxy */ ++ TLS_server_method(); /* server */ ++#endif + ctx = SSL_CTX_new(method); + + mctx->ssl_ctx = ctx; + + SSL_CTX_set_options(ctx, SSL_OP_ALL); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* always disable SSLv2, as per RFC 6176 */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + +@@ -565,6 +609,43 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + } + #endif + ++#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ /* We first determine the maximum protocol version we should provide */ ++ if (protocol & SSL_PROTOCOL_TLSV1_2) { ++ prot = TLS1_2_VERSION; ++ } else if (protocol & SSL_PROTOCOL_TLSV1_1) { ++ prot = TLS1_1_VERSION; ++ } else if (protocol & SSL_PROTOCOL_TLSV1) { ++ prot = TLS1_VERSION; ++#ifndef OPENSSL_NO_SSL3 ++ } else if (protocol & SSL_PROTOCOL_SSLV3) { ++ prot = SSL3_VERSION; ++#endif ++ } else { ++ SSL_CTX_free(ctx); ++ mctx->ssl_ctx = NULL; ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) ++ "No SSL protocols available [hint: SSLProtocol]"); ++ return ssl_die(s); ++ } ++ SSL_CTX_set_max_proto_version(ctx, prot); ++ ++ /* Next we scan for the minimal protocol version we should provide, ++ * but we do not allow holes between max and min */ ++ if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { ++ prot = TLS1_1_VERSION; ++ } ++ if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { ++ prot = TLS1_VERSION; ++ } ++#ifndef OPENSSL_NO_SSL3 ++ if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) { ++ prot = SSL3_VERSION; ++ } ++#endif ++ SSL_CTX_set_min_proto_version(ctx, prot); ++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + if (sc->cipher_server_pref == TRUE) { + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); +@@ -858,7 +939,7 @@ static int use_certificate_chain( + unsigned long err; + int n; + +- if ((bio = BIO_new(BIO_s_file_internal())) == NULL) ++ if ((bio = BIO_new(BIO_s_file())) == NULL) + return -1; + if (BIO_read_filename(bio, file) <= 0) { + BIO_free(bio); +@@ -1200,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, + SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) + "Custom DH parameters (%d bits) for %s loaded from %s", +- BN_num_bits(dhparams->p), vhost_id, certfile); ++ DH_bits(dhparams), vhost_id, certfile); + DH_free(dhparams); + } + +@@ -1721,7 +1802,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) + "an OpenSSL version with support for TLS extensions " + "(RFC 6066 - Server Name Indication / SNI), " + "but the currently used library version (%s) is " +- "lacking this feature", SSLeay_version(SSLEAY_VERSION)); ++ "lacking this feature", MODSSL_LIBRARY_DYNTEXT); + } + #endif + +@@ -1917,6 +1998,9 @@ apr_status_t ssl_init_ModuleKill(void *data) + ssl_init_ctx_cleanup(sc->server); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ free_bio_methods(); ++#endif + free_dh_params(); + + return APR_SUCCESS; +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c +index 82953ad..b463e1a 100644 +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -149,7 +149,7 @@ static int bio_filter_out_pass(bio_filter_out_ctx_t *outctx) + * success, -1 on failure. */ + static int bio_filter_out_flush(BIO *bio) + { +- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); + apr_bucket *e; + + AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb)); +@@ -162,10 +162,16 @@ static int bio_filter_out_flush(BIO *bio) + + static int bio_filter_create(BIO *bio) + { +- bio->shutdown = 1; +- bio->init = 1; ++ BIO_set_shutdown(bio, 1); ++ BIO_set_init(bio, 1); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ /* No setter method for OpenSSL 1.1.0 available, ++ * but I can't find any functional use of the ++ * "num" field there either. ++ */ + bio->num = -1; +- bio->ptr = NULL; ++#endif ++ BIO_set_data(bio, NULL); + + return 1; + } +@@ -190,7 +196,7 @@ static int bio_filter_out_read(BIO *bio, char *out, int outl) + + static int bio_filter_out_write(BIO *bio, const char *in, int inl) + { +- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); + apr_bucket *e; + int need_flush; + +@@ -241,7 +247,7 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl) + static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) + { + long ret = 1; +- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); + + switch (cmd) { + case BIO_CTRL_RESET: +@@ -257,10 +263,10 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) + ret = 0; + break; + case BIO_CTRL_GET_CLOSE: +- ret = (long)bio->shutdown; ++ ret = (long)BIO_get_shutdown(bio); + break; + case BIO_CTRL_SET_CLOSE: +- bio->shutdown = (int)num; ++ BIO_set_shutdown(bio, (int)num); + break; + case BIO_CTRL_FLUSH: + ret = bio_filter_out_flush(bio); +@@ -294,19 +300,6 @@ static int bio_filter_out_puts(BIO *bio, const char *str) + return -1; + } + +-static BIO_METHOD bio_filter_out_method = { +- BIO_TYPE_MEM, +- "APR output filter", +- bio_filter_out_write, +- bio_filter_out_read, /* read is never called */ +- bio_filter_out_puts, /* puts is never called */ +- bio_filter_out_gets, /* gets is never called */ +- bio_filter_out_ctrl, +- bio_filter_create, +- bio_filter_destroy, +- NULL +-}; +- + typedef struct { + int length; + char *value; +@@ -456,7 +449,7 @@ static apr_status_t brigade_consume(apr_bucket_brigade *bb, + static int bio_filter_in_read(BIO *bio, char *in, int inlen) + { + apr_size_t inl = inlen; +- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr); ++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); + apr_read_type_e block = inctx->block; + + inctx->rc = APR_SUCCESS; +@@ -536,20 +529,86 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) + return -1; + } + ++static int bio_filter_in_write(BIO *bio, const char *in, int inl) ++{ ++ return -1; ++} ++ ++static int bio_filter_in_puts(BIO *bio, const char *str) ++{ ++ return -1; ++} ++ ++static int bio_filter_in_gets(BIO *bio, char *buf, int size) ++{ ++ return -1; ++} ++ ++static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) ++{ ++ return -1; ++} ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++static BIO_METHOD bio_filter_out_method = { ++ BIO_TYPE_MEM, ++ "APR output filter", ++ bio_filter_out_write, ++ bio_filter_out_read, /* read is never called */ ++ bio_filter_out_puts, /* puts is never called */ ++ bio_filter_out_gets, /* gets is never called */ ++ bio_filter_out_ctrl, ++ bio_filter_create, ++ bio_filter_destroy, ++ NULL ++}; + + static BIO_METHOD bio_filter_in_method = { + BIO_TYPE_MEM, + "APR input filter", +- NULL, /* write is never called */ ++ bio_filter_in_write, /* write is never called */ + bio_filter_in_read, +- NULL, /* puts is never called */ +- NULL, /* gets is never called */ +- NULL, /* ctrl is never called */ ++ bio_filter_in_puts, /* puts is never called */ ++ bio_filter_in_gets, /* gets is never called */ ++ bio_filter_in_ctrl, /* ctrl is never called */ + bio_filter_create, + bio_filter_destroy, + NULL + }; + ++#else ++ ++static BIO_METHOD *bio_filter_out_method = NULL; ++static BIO_METHOD *bio_filter_in_method = NULL; ++ ++void init_bio_methods(void) ++{ ++ bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter"); ++ BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write); ++ BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read is never called */ ++ BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts is never called */ ++ BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets is never called */ ++ BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl); ++ BIO_meth_set_create(bio_filter_out_method, &bio_filter_create); ++ BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy); ++ ++ bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter"); ++ BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write is never called */ ++ BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read); ++ BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts); /* puts is never called */ ++ BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets); /* gets is never called */ ++ BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl); /* ctrl is never called */ ++ BIO_meth_set_create(bio_filter_in_method, &bio_filter_create); ++ BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy); ++} ++ ++void free_bio_methods(void) ++{ ++ BIO_meth_free(bio_filter_out_method); ++ BIO_meth_free(bio_filter_in_method); ++} ++#endif + + static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx, + char *buf, +@@ -789,7 +848,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, + */ + ERR_clear_error(); + +- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; ++ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite); + res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len); + + if (res < 0) { +@@ -1267,9 +1326,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) + + if ((n = SSL_accept(filter_ctx->pssl)) <= 0) { + bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *) +- (filter_ctx->pbioRead->ptr); ++ BIO_get_data(filter_ctx->pbioRead); + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *) +- (filter_ctx->pbioWrite->ptr); ++ BIO_get_data(filter_ctx->pbioWrite); + apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ; + ssl_err = SSL_get_error(filter_ctx->pssl, n); + +@@ -1682,8 +1741,8 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, + return ap_pass_brigade(f->next, bb); + } + +- inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr; +- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; ++ inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead); ++ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite); + + /* When we are the writer, we must initialize the inctx + * mode so that we block for any required ssl input, because +@@ -1964,8 +2023,12 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, + + filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); +- filter_ctx->pbioRead->ptr = (void *)inctx; ++#else ++ filter_ctx->pbioRead = BIO_new(bio_filter_in_method); ++#endif ++ BIO_set_data(filter_ctx->pbioRead, (void *)inctx); + + inctx->ssl = ssl; + inctx->bio_out = filter_ctx->pbioWrite; +@@ -1995,8 +2058,12 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, SSL *ssl) + filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, + filter_ctx, r, c); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); +- filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c); ++#else ++ filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); ++#endif ++ BIO_set_data(filter_ctx->pbioWrite, (void *)bio_filter_out_ctx_new(filter_ctx, c)); + + /* write is non blocking for the benefit of async mpm */ + if (c->cs) { +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index d4459a2..da2776f 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -80,7 +80,7 @@ static apr_status_t upgrade_connection(request_rec *r) + SSL_set_accept_state(ssl); + SSL_do_handshake(ssl); + +- if (SSL_get_state(ssl) != SSL_ST_OK) { ++ if (!SSL_is_init_finished(ssl)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) + "TLS upgrade handshake failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +@@ -114,6 +114,7 @@ static int has_buffered_data(request_rec *r) + return result; + } + ++#ifdef HAVE_TLSEXT + static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) + { + int i; +@@ -215,6 +216,7 @@ static int ssl_server_compatible(server_rec *s1, server_rec *s2) + + return 1; + } ++#endif + + /* + * Post Read Request Handler +@@ -432,7 +434,7 @@ int ssl_hook_Access(request_rec *r) + X509 *cert; + X509 *peercert; + X509_STORE *cert_store = NULL; +- X509_STORE_CTX cert_store_ctx; ++ X509_STORE_CTX *cert_store_ctx; + STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; + const SSL_CIPHER *cipher = NULL; + int depth, verify_old, verify, n, is_slave = 0; +@@ -456,7 +458,7 @@ int ssl_hook_Access(request_rec *r) + * forbidden in the latter case, let ap_die() handle + * this recursive (same) error. + */ +- if (SSL_get_state(ssl) != SSL_ST_OK) { ++ if (!SSL_is_init_finished(ssl)) { + return HTTP_FORBIDDEN; + } + ctx = SSL_get_SSL_CTX(ssl); +@@ -622,7 +624,7 @@ int ssl_hook_Access(request_rec *r) + !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list)); + n++) + { +- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); ++ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); + + if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) { + renegotiate = TRUE; +@@ -633,7 +635,7 @@ int ssl_hook_Access(request_rec *r) + !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old)); + n++) + { +- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); ++ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); + + if (sk_SSL_CIPHER_find(cipher_list, value) < 0) { + renegotiate = TRUE; +@@ -914,25 +916,27 @@ int ssl_hook_Access(request_rec *r) + cert = sk_X509_value(cert_stack, 0); + } + +- X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack); ++ cert_store_ctx = X509_STORE_CTX_new(); ++ X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack); + depth = SSL_get_verify_depth(ssl); + + if (depth >= 0) { +- X509_STORE_CTX_set_depth(&cert_store_ctx, depth); ++ X509_STORE_CTX_set_depth(cert_store_ctx, depth); + } + +- X509_STORE_CTX_set_ex_data(&cert_store_ctx, ++ X509_STORE_CTX_set_ex_data(cert_store_ctx, + SSL_get_ex_data_X509_STORE_CTX_idx(), + (char *)ssl); + +- if (!X509_verify_cert(&cert_store_ctx)) { ++ if (!X509_verify_cert(cert_store_ctx)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224) + "Re-negotiation verification step failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + } + +- SSL_set_verify_result(ssl, cert_store_ctx.error); +- X509_STORE_CTX_cleanup(&cert_store_ctx); ++ SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx)); ++ X509_STORE_CTX_cleanup(cert_store_ctx); ++ X509_STORE_CTX_free(cert_store_ctx); + + if (cert_stack != SSL_get_peer_cert_chain(ssl)) { + /* we created this ourselves, so free it */ +@@ -940,6 +944,7 @@ int ssl_hook_Access(request_rec *r) + } + } + else { ++ char peekbuf[1]; + const char *reneg_support; + request_rec *id = r->main ? r->main : r; + +@@ -983,7 +988,7 @@ int ssl_hook_Access(request_rec *r) + SSL_renegotiate(ssl); + SSL_do_handshake(ssl); + +- if (SSL_get_state(ssl) != SSL_ST_OK) { ++ if (!SSL_is_init_finished(ssl)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225) + "Re-negotiation request failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +@@ -999,16 +1004,15 @@ int ssl_hook_Access(request_rec *r) + * However, this causes failures in perl-framework currently, + * perhaps pre-test if we have already negotiated? + */ +-#ifdef OPENSSL_NO_SSL_INTERN +- SSL_set_state(ssl, SSL_ST_ACCEPT); +-#else +- ssl->state = SSL_ST_ACCEPT; +-#endif +- SSL_do_handshake(ssl); ++ /* Need to trigger renegotiation handshake by reading. ++ * Peeking 0 bytes actually works. ++ * See: http://marc.info/?t=145493359200002&r=1&w=2 ++ */ ++ SSL_peek(ssl, peekbuf, 0); + + sslconn->reneg_state = RENEG_REJECT; + +- if (SSL_get_state(ssl) != SSL_ST_OK) { ++ if (!SSL_is_init_finished(ssl)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) + "Re-negotiation handshake failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +@@ -1513,7 +1517,11 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) + SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER); + #endif + pkey = SSL_get_privatekey(ssl); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; ++#else ++ type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; ++#endif + + /* + * OpenSSL will call us with either keylen == 512 or keylen == 1024 +@@ -1725,11 +1733,19 @@ static void modssl_proxy_info_log(conn_rec *c, + * so we need to increment here to prevent them from + * being freed. + */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #define modssl_set_cert_info(info, cert, pkey) \ + *cert = info->x509; \ + CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ + *pkey = info->x_pkey->dec_pkey; \ + CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY) ++#else ++#define modssl_set_cert_info(info, cert, pkey) \ ++ *cert = info->x509; \ ++ X509_up_ref(*cert); \ ++ *pkey = info->x_pkey->dec_pkey; \ ++ EVP_PKEY_up_ref(*pkey); ++#endif + + int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) + { +@@ -1823,7 +1839,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) + + static void ssl_session_log(server_rec *s, + const char *request, +- unsigned char *id, ++ IDCONST unsigned char *id, + unsigned int idlen, + const char *status, + const char *result, +@@ -1863,7 +1879,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session) + SSLSrvConfigRec *sc = mySrvConfig(s); + long timeout = sc->session_cache_timeout; + BOOL rc; +- unsigned char *id; ++ IDCONST unsigned char *id; + unsigned int idlen; + + /* +@@ -1907,7 +1923,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session) + * of our other Apache pre-forked server processes. + */ + SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, +- unsigned char *id, ++ IDCONST unsigned char *id, + int idlen, int *do_copy) + { + /* Get Apache context back through OpenSSL context */ +@@ -1946,7 +1962,7 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx, + { + server_rec *s; + SSLSrvConfigRec *sc; +- unsigned char *id; ++ IDCONST unsigned char *id; + unsigned int idlen; + + /* +@@ -2067,15 +2083,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) + /* If the reneg state is to reject renegotiations, check the SSL + * state machine and move to ABORT if a Client Hello is being + * read. */ +- if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { +- int state = SSL_get_state((SSL *)ssl); +- +- if (state == SSL3_ST_SR_CLNT_HELLO_A +- || state == SSL23_ST_SR_CLNT_HELLO_A) { ++ if (!scr->is_proxy && ++ (where & SSL_CB_HANDSHAKE_START) && ++ scr->reneg_state == RENEG_REJECT) { + scr->reneg_state = RENEG_ABORT; + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) + "rejecting client initiated renegotiation"); +- } + } + /* If the first handshake is complete, change state to reject any + * subsequent client-initiated renegotiation. */ +@@ -2279,7 +2292,7 @@ int ssl_callback_SessionTicket(SSL *ssl, + } + + memcpy(keyname, ticket_key->key_name, 16); +- RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH); ++ RAND_bytes(iv, EVP_MAX_IV_LENGTH); + EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, + ticket_key->aes_key, iv); + HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); +@@ -2416,17 +2429,27 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) + SRP_user_pwd *u; + + if (username == NULL ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) { ++#else ++ || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) { ++#endif + *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; + return SSL3_AL_FATAL; + } + + if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) { ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ SRP_user_pwd_free(u); ++#endif + *ad = SSL_AD_INTERNAL_ERROR; + return SSL3_AL_FATAL; + } + + /* reset all other options */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ SRP_user_pwd_free(u); ++#endif + SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); + return SSL_ERROR_NONE; + } +diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c +index f295651..282a2a2 100644 +--- a/modules/ssl/ssl_engine_ocsp.c ++++ b/modules/ssl/ssl_engine_ocsp.c +@@ -109,7 +109,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert, + { + OCSP_REQUEST *req = OCSP_REQUEST_new(); + +- *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer); ++ *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx)); + if (!*certid || !OCSP_request_add0_id(req, *certid)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921) + "could not retrieve certificate id"); +@@ -184,7 +184,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, + + if (rc == V_OCSP_CERTSTATUS_GOOD) { + /* TODO: allow flags configuration. */ +- if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) { ++ if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925) + "failed to verify the OCSP response"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); +@@ -262,7 +262,7 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, + "No cert available to check with OCSP"); + return 1; + } +- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { ++ else if (X509_check_issued(cert,cert) == X509_V_OK) { + /* don't do OCSP checking for valid self-issued certs */ + ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, + "Skipping OCSP check for valid self-issued cert"); +diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c +index 036cb36..42c22b0 100644 +--- a/modules/ssl/ssl_engine_vars.c ++++ b/modules/ssl/ssl_engine_vars.c +@@ -380,7 +380,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, + char buf[MODSSL_SESSION_ID_STRING_LEN]; + SSL_SESSION *pSession = SSL_get_session(ssl); + if (pSession) { +- unsigned char *id; ++ IDCONST unsigned char *id; + unsigned int idlen; + + #ifdef OPENSSL_NO_SSL_INTERN +@@ -545,13 +545,25 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, + resdup = FALSE; + } + else if (strcEQ(var, "A_SIG")) { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); ++#else ++ ASN1_OBJECT *paobj; ++ X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs)); ++ nid = OBJ_obj2nid(paobj); ++#endif + result = apr_pstrdup(p, + (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); + resdup = FALSE; + } + else if (strcEQ(var, "A_KEY")) { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm)); ++#else ++ ASN1_OBJECT *paobj; ++ X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs)); ++ nid = OBJ_obj2nid(paobj); ++#endif + result = apr_pstrdup(p, + (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); + resdup = FALSE; +@@ -613,11 +625,8 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char * + for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) { + if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen) + && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) { +- for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *) +- xsname->entries); +- j++) { +- xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *) +- xsname->entries, j); ++ for (j = 0; j < X509_NAME_entry_count(xsname); j++) { ++ xsne = X509_NAME_get_entry(xsname, j); + + n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); + +@@ -919,7 +928,6 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var) + static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, + X509_NAME *xn, apr_pool_t *p) + { +- STACK_OF(X509_NAME_ENTRY) *ents = xn->entries; + X509_NAME_ENTRY *xsne; + apr_hash_t *count; + int i, nid; +@@ -929,10 +937,9 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, + count = apr_hash_make(p); + + /* For each RDN... */ +- for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) { ++ for (i = 0; i < X509_NAME_entry_count(xn); i++) { + const char *tag; +- +- xsne = sk_X509_NAME_ENTRY_value(ents, i); ++ xsne = X509_NAME_get_entry(xn, i); + + /* Retrieve the nid, and check whether this is one of the nids + * which are to be extracted. */ +@@ -1106,7 +1113,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, + for (j = 0; j < count; j++) { + X509_EXTENSION *ext = X509_get_ext(xs, j); + +- if (OBJ_cmp(ext->object, oid) == 0) { ++ if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { + BIO *bio = BIO_new(BIO_s_mem()); + + /* We want to obtain a string representation of the extensions +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index 7813e41..08de3a1 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -135,6 +135,13 @@ + #define HAVE_SSL_CONF_CMD + #endif + ++/* session id constness */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define IDCONST ++#else ++#define IDCONST const ++#endif ++ + /** + * The following features all depend on TLS extension support. + * Within this block, check again for features (not version numbers). +@@ -151,6 +158,8 @@ + /* OCSP stapling */ + #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) + #define HAVE_OCSP_STAPLING ++/* All exist but are no longer macros since OpenSSL 1.1.0 */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* backward compatibility with OpenSSL < 1.0 */ + #ifndef sk_OPENSSL_STRING_num + #define sk_OPENSSL_STRING_num sk_num +@@ -161,7 +170,8 @@ + #ifndef sk_OPENSSL_STRING_pop + #define sk_OPENSSL_STRING_pop sk_pop + #endif +-#endif ++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++#endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */ + + /* TLS session tickets */ + #if defined(SSL_CTX_set_tlsext_ticket_key_cb) +@@ -189,6 +199,36 @@ + + #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 ++#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 ++#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 ++#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048 ++#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072 ++#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096 ++#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144 ++#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192 ++#define BIO_set_init(x,v) (x->init=v) ++#define BIO_get_data(x) (x->ptr) ++#define BIO_set_data(x,v) (x->ptr=v) ++#define BIO_get_shutdown(x) (x->shutdown) ++#define BIO_set_shutdown(x,v) (x->shutdown=v) ++#define DH_bits(x) (BN_num_bits(x->p)) ++#else ++void init_bio_methods(void); ++void free_bio_methods(void); ++#endif ++ ++#if OPENSSL_VERSION_NUMBER < 0x10002000L ++#define X509_STORE_CTX_get0_store(x) (x->ctx) ++#endif ++ ++#if OPENSSL_VERSION_NUMBER < 0x10000000L ++#ifndef X509_STORE_CTX_get0_current_issuer ++#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer) ++#endif ++#endif ++ + /* mod_ssl headers */ + #include "ssl_util_ssl.h" + +@@ -454,12 +494,12 @@ typedef struct { + * partial fix for CVE-2009-3555. */ + enum { + RENEG_INIT = 0, /* Before initial handshake */ +- RENEG_REJECT, /* After initial handshake; any client-initiated +- * renegotiation should be rejected */ +- RENEG_ALLOW, /* A server-initiated renegotiation is taking +- * place (as dictated by configuration) */ +- RENEG_ABORT /* Renegotiation initiated by client, abort the +- * connection */ ++ RENEG_REJECT, /* After initial handshake; any client-initiated ++ * renegotiation should be rejected */ ++ RENEG_ALLOW, /* A server-initiated renegotiation is taking ++ * place (as dictated by configuration) */ ++ RENEG_ABORT /* Renegotiation initiated by client, abort the ++ * connection */ + } reneg_state; + + server_rec *server; +@@ -810,7 +850,7 @@ int ssl_callback_SSLVerify(int, X509_STORE_CTX *); + int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); + int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); + int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); +-SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); ++SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *); + void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); + void ssl_callback_Info(const SSL *, int, int); + #ifdef HAVE_TLSEXT +@@ -831,10 +871,10 @@ int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out, + apr_status_t ssl_scache_init(server_rec *, apr_pool_t *); + void ssl_scache_status_register(apr_pool_t *p); + void ssl_scache_kill(server_rec *); +-BOOL ssl_scache_store(server_rec *, UCHAR *, int, ++BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, + apr_time_t, SSL_SESSION *, apr_pool_t *); +-SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *); +-void ssl_scache_remove(server_rec *, UCHAR *, int, ++SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *); ++void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, + apr_pool_t *); + + /** Proxy Support */ +@@ -882,7 +922,9 @@ void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); + char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, + const char * const *); + BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + void ssl_util_thread_setup(apr_pool_t *); ++#endif + int ssl_init_ssl_connection(conn_rec *c, request_rec *r); + + BOOL ssl_util_vhost_matches(const char *servername, server_rec *s); +diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c +index 70d1877..7b4a203 100644 +--- a/modules/ssl/ssl_scache.c ++++ b/modules/ssl/ssl_scache.c +@@ -110,7 +110,7 @@ void ssl_scache_kill(server_rec *s) + + } + +-BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, ++BOOL ssl_scache_store(server_rec *s, IDCONST UCHAR *id, int idlen, + apr_time_t expiry, SSL_SESSION *sess, + apr_pool_t *p) + { +@@ -144,7 +144,7 @@ BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, + return rv == APR_SUCCESS ? TRUE : FALSE; + } + +-SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen, ++SSL_SESSION *ssl_scache_retrieve(server_rec *s, IDCONST UCHAR *id, int idlen, + apr_pool_t *p) + { + SSLModConfigRec *mc = myModConfig(s); +@@ -173,7 +173,7 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen, + return d2i_SSL_SESSION(NULL, &ptr, destlen); + } + +-void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen, ++void ssl_scache_remove(server_rec *s, IDCONST UCHAR *id, int idlen, + apr_pool_t *p) + { + SSLModConfigRec *mc = myModConfig(s); +diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c +index ddde3c7..052d23e 100644 +--- a/modules/ssl/ssl_util.c ++++ b/modules/ssl/ssl_util.c +@@ -247,6 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *table, + } + + #if APR_HAS_THREADS ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* + * To ensure thread-safetyness in OpenSSL - work in progress + */ +@@ -362,6 +363,28 @@ static void ssl_dyn_destroy_function(struct CRYPTO_dynlock_value *l, + apr_pool_destroy(l->pool); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ ++static void ssl_util_thr_id(CRYPTO_THREADID *id) ++{ ++ /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread ++ * id is a structure twice that big. Use the TCB pointer instead as a ++ * unique unsigned long. ++ */ ++#ifdef __MVS__ ++ struct PSA { ++ char unmapped[540]; /* PSATOLD is at offset 540 in the PSA */ ++ unsigned long PSATOLD; ++ } *psaptr = 0; /* PSA is at address 0 */ ++ ++ CRYPTO_THREADID_set_numeric(id, psaptr->PSATOLD); ++#else ++ CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current()); ++#endif ++} ++ ++#else ++ + static unsigned long ssl_util_thr_id(void) + { + /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread +@@ -380,10 +403,16 @@ static unsigned long ssl_util_thr_id(void) + #endif + } + ++#endif ++ + static apr_status_t ssl_util_thread_cleanup(void *data) + { + CRYPTO_set_locking_callback(NULL); ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ CRYPTO_THREADID_set_callback(NULL); ++#else + CRYPTO_set_id_callback(NULL); ++#endif + + CRYPTO_set_dynlock_create_callback(NULL); + CRYPTO_set_dynlock_lock_callback(NULL); +@@ -407,7 +436,11 @@ void ssl_util_thread_setup(apr_pool_t *p) + apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ CRYPTO_THREADID_set_callback(ssl_util_thr_id); ++#else + CRYPTO_set_id_callback(ssl_util_thr_id); ++#endif + + CRYPTO_set_locking_callback(ssl_util_thr_lock); + +@@ -422,4 +455,5 @@ void ssl_util_thread_setup(apr_pool_t *p) + apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup, + apr_pool_cleanup_null); + } +-#endif ++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++#endif /* #if APR_HAS_THREADS */ +diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c +index a7607c7..9807592 100644 +--- a/modules/ssl/ssl_util_ssl.c ++++ b/modules/ssl/ssl_util_ssl.c +@@ -488,7 +488,7 @@ EC_GROUP *ssl_ec_GetParamFromFile(const char *file) + ** _________________________________________________________________ + */ + +-char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen, ++char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen, + char *str, int strsize) + { + if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH) +diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h +index 5f74831..4f18f91 100644 +--- a/modules/ssl/ssl_util_ssl.h ++++ b/modules/ssl/ssl_util_ssl.h +@@ -41,7 +41,11 @@ + #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER + #define MODSSL_LIBRARY_NAME "OpenSSL" + #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) ++#else ++#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) ++#endif + + /** + * Maximum length of a DER encoded session. +@@ -67,7 +71,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsn + char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); + BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); + BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); +-char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int); ++char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); + + #endif /* __SSL_UTIL_SSL_H__ */ + /** @} */ +diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c +index 413e40f..718a291 100644 +--- a/modules/ssl/ssl_util_stapling.c ++++ b/modules/ssl/ssl_util_stapling.c +@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) + X509 *issuer = NULL; + int i; + X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx); +- X509_STORE_CTX inctx; ++ X509_STORE_CTX *inctx; + STACK_OF(X509) *extra_certs = NULL; + + #ifdef OPENSSL_NO_SSL_INTERN +@@ -91,18 +91,23 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) + for (i = 0; i < sk_X509_num(extra_certs); i++) { + issuer = sk_X509_value(extra_certs, i); + if (X509_check_issued(issuer, x) == X509_V_OK) { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); ++#else ++ X509_up_ref(issuer); ++#endif + return issuer; + } + } + +- if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL)) ++ inctx = X509_STORE_CTX_new(); ++ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) + return 0; +- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0) ++ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) + issuer = NULL; +- X509_STORE_CTX_cleanup(&inctx); ++ X509_STORE_CTX_cleanup(inctx); ++ X509_STORE_CTX_free(inctx); + return issuer; +- + } + + int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, +@@ -398,7 +403,9 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, + + if (bio) { + int n; +- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) && ++ ASN1_INTEGER *pserial; ++ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid); ++ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) && + ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0)) + snum[n] = '\0'; + BIO_free(bio); +diff --git a/support/ab.c b/support/ab.c +index 072d2e6..3d61b2d 100644 +--- a/support/ab.c ++++ b/support/ab.c +@@ -2165,6 +2165,14 @@ int main(int argc, const char * const argv[]) + apr_getopt_t *opt; + const char *opt_arg; + char c; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ int max_prot = TLS1_2_VERSION; ++#ifndef OPENSSL_NO_SSL3 ++ int min_prot = SSL3_VERSION; ++#else ++ int min_prot = TLS1_VERSION; ++#endif ++#endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */ + #ifdef USE_SSL + AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method(); + #endif +@@ -2391,6 +2399,7 @@ int main(int argc, const char * const argv[]) + method_str[CUSTOM_METHOD] = strdup(opt_arg); + break; + case 'f': ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (strncasecmp(opt_arg, "ALL", 3) == 0) { + meth = SSLv23_client_method(); + #ifndef OPENSSL_NO_SSL2 +@@ -2416,6 +2425,31 @@ int main(int argc, const char * const argv[]) + } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { + meth = TLSv1_client_method(); + } ++#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ meth = TLS_client_method(); ++ if (strncasecmp(opt_arg, "ALL", 3) == 0) { ++ max_prot = TLS1_2_VERSION; ++#ifndef OPENSSL_NO_SSL3 ++ min_prot = SSL3_VERSION; ++#else ++ min_prot = TLS1_VERSION; ++#endif ++#ifndef OPENSSL_NO_SSL3 ++ } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { ++ max_prot = SSL3_VERSION; ++ min_prot = SSL3_VERSION; ++#endif ++ } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { ++ max_prot = TLS1_1_VERSION; ++ min_prot = TLS1_1_VERSION; ++ } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) { ++ max_prot = TLS1_2_VERSION; ++ min_prot = TLS1_2_VERSION; ++ } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { ++ max_prot = TLS1_VERSION; ++ min_prot = TLS1_VERSION; ++ } ++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ + break; + #ifdef HAVE_TLSEXT + case 'I': +@@ -2465,7 +2499,11 @@ int main(int argc, const char * const argv[]) + #ifdef RSAREF + R_malloc_init(); + #else ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_malloc_init(); ++#else ++ OPENSSL_malloc_init(); ++#endif + #endif + SSL_load_error_strings(); + SSL_library_init(); +@@ -2478,6 +2516,10 @@ int main(int argc, const char * const argv[]) + exit(1); + } + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ SSL_CTX_set_max_proto_version(ssl_ctx, max_prot); ++ SSL_CTX_set_min_proto_version(ssl_ctx, min_prot); ++#endif + #ifdef SSL_MODE_RELEASE_BUFFERS + /* Keep memory usage as low as possible */ + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); |