delta/apache/httpd.git/modules/ssl/ssl_engine_config.c, branch trunk github.com: apache/httpd.git mod_ssl: Fix deprecation warnings with openssl-3. 2023-03-19T21:30:47+00:00 Yann Ylavic ylavic@apache.org 2023-03-19T21:30:47+00:00 1e06568a28e02b477eb660cc18a42420360103cf * mod_ssl_openssl.h: Make it the first openssl to be included openssl header, selecting the OpenSSL api based on OPENSSL_API_COMPAT eventually. * ssl_private.h; Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API) before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to new "providers" api before the ENGINE_ api is abandonned..). mod_ssl.h is now implicitely included from there. Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0". Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the engine features are disabled, only "builtin" is accepted). Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api above, so it might not be implemenentedain httpd anymore at some point..). Define X509_get_not{Before,After} if missing to the non deprecated version. New modssl_set_io_callbacks() to factorize compat code for io callbacks. ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and modssl_dh_pkey_from_file() for openssl >= 3.0. * mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling: Including "ssl_private.h" only is suited/enough now. * mod_ssl_ct.c, ssl_ct_log_config: Use EVP api with openssl >= 3 instead of the deprecated SHA256 one. * ssl_engine_config.c(ssl_cmd_SSLCryptoDevice): Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API. * ssl_engine_init: New compat modssl_runtime_lib_version() to address deprecated SSLeay(). ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API. Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars. Compat loading DH parameters and EC curve from cert. * ssl_engine_io.c, ssl_engine_kernel.c: Implement common modssl_set_io_callbacks() and use it. * ssl_engine_pphrase(modssl_load_engine_keypair): Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL. * ssl_util.c(modssl_is_engine_id): No engine supported unless MODSSL_HAVE_ENGINE_API. * ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file): Compat with openssl >= 3.0. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68 
* mod_ssl_openssl.h:
  Make it the first openssl to be included openssl header, selecting the
  OpenSSL api based on OPENSSL_API_COMPAT eventually.

* ssl_private.h;
  Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
  before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to
  new "providers" api before the ENGINE_ api is abandonned..).
  mod_ssl.h is now implicitely included from there.
  Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0".
  Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the
  engine features are disabled, only "builtin" is accepted).
  Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
  above, so it might not be implemenentedain httpd anymore at some point..).
  Define X509_get_not{Before,After} if missing to the non deprecated version.
  New modssl_set_io_callbacks() to factorize compat code for io callbacks.
  ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and
  modssl_dh_pkey_from_file() for openssl >= 3.0.

* mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
  Including "ssl_private.h" only is suited/enough now.
  
* mod_ssl_ct.c, ssl_ct_log_config:
  Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.

* ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
  Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API.

* ssl_engine_init:
  New compat modssl_runtime_lib_version() to address deprecated SSLeay().
  ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
  Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
  Compat loading DH parameters and EC curve from cert.

* ssl_engine_io.c, ssl_engine_kernel.c:
  Implement common modssl_set_io_callbacks() and use it.

* ssl_engine_pphrase(modssl_load_engine_keypair):
  Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.

* ssl_util.c(modssl_is_engine_id):
  No engine supported unless MODSSL_HAVE_ENGINE_API.

* ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
  Compat with openssl >= 3.0.
  


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
Fix some typos 2022-05-08T13:01:01+00:00 Christophe Jaillet jailletc36@apache.org 2022-05-08T13:01:01+00:00 2d6fe30f110b517037d5f0d183ef9a99147faf15 [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900694 13f79535-47bb-0310-9956-ffa450edef68 
[skip ci]

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900694 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Add base64-encoded DER certificate variables as alternative 2021-03-19T15:15:36+00:00 Joe Orton jorton@apache.org 2021-03-19T15:15:36+00:00 1c76cd30813ac630b3ced614247bb96fa24df964 to PEM, to avoid newline mangling issues when using PEM in header values. * modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant. * modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data): New function, replacing ssl_var_lookup_ssl_cert_PEM. (ssl_var_lookup_ssl): Use it, and add _B64CERT variants of SSL_{CLIENT,SERVER}_CERT. (ssl_var_lookup_ssl_cert_chain): Use it. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support "ExportBase64CertData" argument. * modules/ssl/ssl_engine_kernel.c (extract_to_env): New function. (ssl_hook_Fixup): Use it, also export _B64CERT variables if SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain handling. PR: 65169 Reviewed by: michaelo Github: closes #177 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887811 13f79535-47bb-0310-9956-ffa450edef68 
to PEM, to avoid newline mangling issues when using PEM in header
values.

* modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data):
  New function, replacing ssl_var_lookup_ssl_cert_PEM.
  (ssl_var_lookup_ssl): Use it, and add _B64CERT variants of
  SSL_{CLIENT,SERVER}_CERT.
  (ssl_var_lookup_ssl_cert_chain): Use it.
  
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support
  "ExportBase64CertData" argument.

* modules/ssl/ssl_engine_kernel.c (extract_to_env): New function.
  (ssl_hook_Fixup): Use it, also export _B64CERT variables if
  SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain
  handling.

PR: 65169
Reviewed by: michaelo
Github: closes #177


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887811 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Drop SSLRandomSeed implementation with OpenSSL 1.1.1. 2020-05-07T10:34:12+00:00 Joe Orton jorton@apache.org 2020-05-07T10:34:12+00:00 c2321e5b8fa6792662deaaeb05f1c24bd71503eb Require that OpenSSL is configured with a suitable entropy source, or fail startup otherwise. * modules/ssl/ssl_private.h: Define MODSSL_USE_SSLRAND for OpenSSL < 1.1.1. (SSLModConfigRec): Only define pid, aRandSeed for <1.1.1. (ssl_rand_seed): Define as noop if !MODSSL_USE_SSLRAND. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Only initialize mc->pid for MODSSL_USE_SSLRAND. Fail if RAND_status() returns zero. (ssl_init_Child): Drop getpid and srand for !MODSSL_USE_SSLRAND. * modules/ssl/ssl_engine_rand.c: ifdef-out for !MODSSL_USE_SSLRAND. (ssl_rand_seed): Drop warning if PRNG not seeded (now a startup error as above). * modules/ssl/ssl_engine_config.c (ssl_config_global_create): Drop aRandSeed initialization. (ssl_cmd_SSLRandomSeed): Log a warning if used w/!MODSSL_USE_SSLRAND. Github: closes #123 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877467 13f79535-47bb-0310-9956-ffa450edef68 
Require that OpenSSL is configured with a suitable entropy source,
or fail startup otherwise.

* modules/ssl/ssl_private.h:
  Define MODSSL_USE_SSLRAND for OpenSSL < 1.1.1.
  (SSLModConfigRec): Only define pid, aRandSeed for <1.1.1.
  (ssl_rand_seed): Define as noop if !MODSSL_USE_SSLRAND.

* modules/ssl/ssl_engine_init.c (ssl_init_Module):
  Only initialize mc->pid for MODSSL_USE_SSLRAND.
  Fail if RAND_status() returns zero.
  (ssl_init_Child): Drop getpid and srand for !MODSSL_USE_SSLRAND.

* modules/ssl/ssl_engine_rand.c: ifdef-out for !MODSSL_USE_SSLRAND.
  (ssl_rand_seed): Drop warning if PRNG not seeded (now a startup
  error as above).
  
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Drop
  aRandSeed initialization.  (ssl_cmd_SSLRandomSeed): Log a warning if
  used w/!MODSSL_USE_SSLRAND.
  
Github: closes #123


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877467 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Calculate the MD5 digest used as the session context once per 2020-05-04T09:23:03+00:00 Joe Orton jorton@apache.org 2020-05-04T09:23:03+00:00 ccc38eab462e11a50d9ac4de4b64f3845ded60de vhost at startup, rather than building it for each new connection. * modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Replace vhost_id_len field with vhost_md5. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Build the sc->vhost_md5 hash here. * modules/ssl/mod_ssl.c: Fail at compile time if the SSL_set_session_id_context() API constraint on context length is violated. (ssl_init_ssl_connection): Use sc->vhost_md5. * modules/ssl/ssl_engine_kernel.c (ssl_find_vhost): Use sc->vhost_md5 after renegotiation. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877349 13f79535-47bb-0310-9956-ffa450edef68 
vhost at startup, rather than building it for each new connection.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec):
  Replace vhost_id_len field with vhost_md5.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Build the
  sc->vhost_md5 hash here.  
   
* modules/ssl/mod_ssl.c: Fail at compile time if the
  SSL_set_session_id_context() API constraint on context length is
  violated.
  (ssl_init_ssl_connection): Use sc->vhost_md5.

* modules/ssl/ssl_engine_kernel.c (ssl_find_vhost): Use sc->vhost_md5
  after renegotiation.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877349 13f79535-47bb-0310-9956-ffa450edef68
Prior to r1877345 mc->pPool was the process pool (s->process->pool). 2020-05-04T08:58:02+00:00 Joe Orton jorton@apache.org 2020-05-04T08:58:02+00:00 87959528ce4f93d0f579a6c06be141eb39307d21 Drop the field from SSLModConfigRec and use pconf instead (where appropriate) to match the new SSLModConfigRec lifetime. * modules/ssl/ssl_engine_kernel.c (ssl_callback_DelSessionCacheEntry): Explicitly (and probably unsafely) use the process pool. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRandomSeed): Use cmd->pool to allocate paths. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Use pconf to allocate the keylog_file. * modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Drop lookup of SSLModConfigRec and use s->process->pool when no pool is passed. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877347 13f79535-47bb-0310-9956-ffa450edef68 
Drop the field from SSLModConfigRec and use pconf instead (where
appropriate) to match the new SSLModConfigRec lifetime.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_DelSessionCacheEntry):
  Explicitly (and probably unsafely) use the process pool.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRandomSeed): Use
  cmd->pool to allocate paths.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Use pconf
  to allocate the keylog_file.
  
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Drop lookup
  of SSLModConfigRec and use s->process->pool when no pool is
  passed.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877347 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): 2020-05-04T08:37:40+00:00 Joe Orton jorton@apache.org 2020-05-04T08:37:40+00:00 3e2123609c1d0df222d0766817572d99d135bf2d apr_pcalloc SSLModConfigRec, remove ifdef-maze setting fields to zero. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877346 13f79535-47bb-0310-9956-ffa450edef68 
  apr_pcalloc SSLModConfigRec, remove ifdef-maze setting fields to zero.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877346 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Use retained data API for storing private keys across reloads. 2020-05-04T08:32:23+00:00 Joe Orton jorton@apache.org 2020-05-04T08:32:23+00:00 31dfb9b47658a0aba72ba49a9cc8555edc98f4be Allocate SSLModConfigRec from pconf rather than the process pool. * modules/ssl/ssl_private.h: Add modssl_retained_data_t structure and move private key storage here from SSLModConfigRec. Add retained pointer to SSLModConfigRec. * modules/ssl/ssl_engine_config.c (ssl_config_global_create): Take pool argument; allocate SSLModConfigRec from there and initialize mc->retained. SSLModConfigRec no longer cached for the process lifetime. (ssl_init_Module): Sanity check that sc->mc is correct. (ssl_init_server_certs): Use private keys from mc->retained. * modules/ssl/ssl_engine_pphrase.c (privkey_vhost_keyid): Rename from asn1_table_vhost_key and update to use the retained structure. (ssl_load_encrypted_pkey): Update for above. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Remove (apparently) redundant call to ssl_config_global_create and add debug asserts to validate that is safe. Github: closes #119 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877345 13f79535-47bb-0310-9956-ffa450edef68 
Allocate SSLModConfigRec from pconf rather than the process pool.

* modules/ssl/ssl_private.h: Add modssl_retained_data_t structure and
  move private key storage here from SSLModConfigRec.  Add retained
  pointer to SSLModConfigRec.

* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Take
  pool argument; allocate SSLModConfigRec from there and
  initialize mc->retained.  SSLModConfigRec no longer cached for the
  process lifetime.
  (ssl_init_Module): Sanity check that sc->mc is correct.
  (ssl_init_server_certs): Use private keys from mc->retained.

* modules/ssl/ssl_engine_pphrase.c
  (privkey_vhost_keyid): Rename from asn1_table_vhost_key and
  update to use the retained structure.
  (ssl_load_encrypted_pkey): Update for above.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Remove
  (apparently) redundant call to ssl_config_global_create and
  add debug asserts to validate that is safe.

Github: closes #119


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877345 13f79535-47bb-0310-9956-ffa450edef68
Move FIPS mode config option to SSLModConfigRec since it is a global 2020-05-01T15:15:59+00:00 Joe Orton jorton@apache.org 2020-05-01T15:15:59+00:00 5ca180d794cb475afbcbf04b74f299439034c239 SSL library setting. Additionally, always log the FIPS mode since it can be set outside of the httpd config. * modules/ssl/ssl_private.h (SSLModConfigRec): Move fips field here. (SSLSrvConfigRec): ... from here. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLFIPS): Adjust for fips field move. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Adjust for fips field move. Always log the OpenSSL FIPS mode state even if SSLFIPS is not used. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877261 13f79535-47bb-0310-9956-ffa450edef68 
SSL library setting.  Additionally, always log the FIPS mode since it
can be set outside of the httpd config.

* modules/ssl/ssl_private.h (SSLModConfigRec): Move fips field here.
  (SSLSrvConfigRec): ... from here.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLFIPS): Adjust for fips
  field move.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Adjust for fips
  field move.  Always log the OpenSSL FIPS mode state even if SSLFIPS
  is not used.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877261 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the 2019-11-15T09:46:30+00:00 Joe Orton jorton@apache.org 2019-11-15T09:46:30+00:00 abe9502d3ba02e8e6815c0dfc9648582aa8d423d environment, using the standard format which can be parsed by (e.g.) wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1. * modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if SSLKEYLOGFILE is set in the environment. (ssl_init_ctx_protocol): Register the keylog callback with OpenSSL. * modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog): New function. PR: 63391 Github: closes #74 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1869842 13f79535-47bb-0310-9956-ffa450edef68 
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.

* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
  SSLKEYLOGFILE is set in the environment.
  (ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.

* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
  New function.

PR: 63391
Github: closes #74


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1869842 13f79535-47bb-0310-9956-ffa450edef68