ssl_util_ssl.h

Checkout Tools
  • last updated 1 hour ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
* modules/ssl/ssl_util_ssl.c (modssl_read_privatekey): Remove unused

second argument.

* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey): Adjust

accordingly.

  1. … 2 more files in changeset.
* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h:

Remove modssl_read_encrypted_pkey() and helpers, added in r1804087

but never used.

  1. … 1 more file in changeset.
Add optional _RAW suffix to SSL_*_DN_xx attribute names, allowing

users to convert an attribute value without conversion to UTF-8. (A

public CA has issued certs with attributes tagged as the wrong ASN.1

string types.)

* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Rename from

asn1_string_to_utf8; add raw argument. Reimplement _to_utf8 as

macro.

(modssl_X509_NAME_ENTRY_to_string): Add raw argument.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Use raw

string conversion if _RAW suffix is present in DN component.

  1. … 3 more files in changeset.
On the trunk:

mod_md: new module for managing domains across VirtualHosts

  1. … 8 more files in changeset.
mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

  1. … 9 more files in changeset.
Support for OpenSSL 1.1.0:

- The callback function passed to

SSL_CTX_sess_set_get_cb() now needs the

session id argument to be const.

So constify the session id.

  1. … 5 more files in changeset.
Support for OpenSSL 1.1.0:

- don't check for SSLeay_version() in configure

The function no longer exists in 1.1.0.

It was replaced by OpenSSL_version().

- Switch between SSLeay_version(U) and

OpenSSL_version() depending on version

in modules/ssl/ssl_util_ssl.h.

- Use MODSSL_LIBRARY_DYNTEXT everywhere.

  1. … 2 more files in changeset.
Add support for extracting the msUPN and dnsSRV forms

of subjectAltName entries of type "otherName" into

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment

variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which

currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and

"id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and

adapt modssl_X509_getSAN to take an optional otherName form

argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form

OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table

  1. … 5 more files in changeset.
mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().

  1. … 3 more files in changeset.
mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c

and make it a static function called use_certificate_chain().

  1. … 2 more files in changeset.
mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c

and make it a static function called load_x509_info().

  1. … 2 more files in changeset.
mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller

ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.

Review by: kbrand

  1. … 2 more files in changeset.
mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

  1. … 2 more files in changeset.
mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

  1. … 3 more files in changeset.
mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the

file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

  1. … 1 more file in changeset.
mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

  1. … 2 more files in changeset.
mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

  1. … 4 more files in changeset.
mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to

modssl_X509_NAME_ENTRY_to_string.

  1. … 2 more files in changeset.
mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside

ssl_util_ssl.c (no callers outside this file). The new static function name

chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_

nor ASN1_ are safe prefixes to use without potential future overlap.

  1. … 1 more file in changeset.
mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

  1. … 2 more files in changeset.
mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

  1. … 2 more files in changeset.
mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

  1. … 2 more files in changeset.
mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,

and SSL_set_app_data2 from SSL_* to modssl_*. Update references in

README.dsov.* files. Rename static variable SSL_app_data2_idx to just

app_data2_idx since the symbol is internal to ssl_util_ssl.c.

  1. … 6 more files in changeset.
mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.

For related discussion, see the dev@ thread starting at:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

  1. … 5 more files in changeset.
Add support for extracting subjectAltName entries of type

rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n

variables.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction

of subjectAltName entries for the "StdEnvVars" case

* modules/ssl/ssl_engine_vars.c: add support for retrieving the

SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with

individual on-demand lookup (ssl_var_lookup_ssl_cert_san),

or with full-list extraction to the environment ("StdEnvVars")

* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype

* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and

SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common

code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where

suitable. Limit SSL_X509_getSAN to the two most common subjectAltName

entry types appearing in user or server certificates (i.e., rfc822Name

and dNSName), for the time being.

* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8

and SSL_X509_getSAN prototypes

  1. … 6 more files in changeset.
Remove the hardcoded algorithm-type dependency for the SSLCertificateFile

and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,

unfortunately, due to the heavily intertwined code in ssl_engine_config.c,

ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the

modssl_pk_server_t data structure. For better comprehensibility,

a detailed listing of the changes follows:

ssl_private.h

- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t

- use apr_array_header_t for cert_files and key_files

- drop tPublicCert from SSLModConfigRec

- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants

ssl_engine_config.c

- change to apr_array_header_t for SSLCertificate[Key]File

- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs

and keys (in theory; currently OpenSSL does not support more than

one cert/key per algorithm type)

- add deprecation warning for SSLCertificateChainFile

ssl_engine_init.c

- configure server certs/keys in ssl_init_server_certs (no longer via

ssl_pphrase_Handle in ssl_init_Module)

- in ssl_init_server_certs, read in certificates and keys with standard

OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to

ssl_load_encrypted_pkey when encountering an encrypted private key

- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,

and ssl_init_ctx_cleanup_server

- move the "problematic re-initialization" check to ssl_init_server_ctx

ssl_engine_pphrase.c

- use servername:port:index as the key identifier, instead of the

previously used servername:port:algorithm

- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,

make it only load a single (encrypted) private key, and rename

to ssl_load_encrypted_pkey

- in the passphrase prompt message, show the private key file name

instead of the vhost id and the algorithm name

- do no longer supply the algorithm name as an argument to "exec"-type

passphrase prompting programs

ssl_util.c

- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,

and ssl_asn1_table_keyfmt

ssl_util_ssl.{c,h}

- drop SSL_read_X509

- constify the filename arg for SSL_read_PrivateKey

  1. … 9 more files in changeset.
SGC became dead in January 2000, effectively

(http://www.gpo.gov/fdsys/pkg/FR-2000-01-14/pdf/00-983.pdf)

Almost 14 years later, there's certainly no longer any need

to spit out some fancy log message.

  1. … 2 more files in changeset.
mod_ssl: add support for subjectAltName-based host name checking in proxy mode

(PR 54030)

factor out code from ssl_engine_init.c:ssl_check_public_cert()

to ssl_util_ssl.c:SSL_X509_match_name()

introduce new SSLProxyCheckPeerName directive, which should eventually

obsolete SSLProxyCheckPeerCN

ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication

when aborting with HTTP_BAD_GATEWAY

  1. … 9 more files in changeset.
fix signedness issue with SSL_X509_NAME_to_string()'s maxlen argument

  1. … 1 more file in changeset.
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1

or later, so that mod_ssl retains binary compatibility with future

versions when internal structures are changed. Use API functions

where available, and fall back to direct access for OpenSSL up

to 1.0.0, where needed.

Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was

never used by any released version of mod_ssl.

  1. … 6 more files in changeset.