Hanno Böck commited on 2013-10-01 12:53:21
Zeige 3 geänderte Dateien mit 1560 Einfügungen und 2 Löschungen.
... | ... |
@@ -1,10 +1,16 @@ |
1 |
+AUX 00_systemd.conf 88 SHA256 487e7451ce2d834d8af09a1db09bfe235fbc87b17b13a88bf849f0739b023ce3 SHA512 c510b77450f45d8ca5b8f00ebae5de9e3dc0ecb45f9857e391ac923dadb6b5193b13e9bc372790de20bb8829f2bee5bfc0e85ad03b3a72818c5dd6a0d7f45353 WHIRLPOOL 35ff7234f1ac513a522481ed08d2281dc331835cccd1049dbbadd9f2dff7fce1700a3ae9fd8f2f490f09d82edd960f4a0b4f00a91db2bafb7c647e3b54733cef |
|
1 | 2 |
AUX 2.2.22-envvars-std.in 1071 SHA256 1721b424f2335640e49d71e671a4be15424d29fe90f55fe4f52bd241a998d3ee SHA512 c18fd461f02ab79fc456a1ad99bf91c8891ecdabd90f41437ebf87e20b3d28d2006a10d6726164c2f0333e7aee350bd125838abaff3a188d8ab2f5f34d3e5466 WHIRLPOOL 59cbee68fc8012df01229b8d5e38045eb974bab3f08ebf5b01097dabb5275bb83e28cd09a058ce71949ca4a2439811cff457d4c7df88d7b3fc5318c6b7ef0075 |
2 | 3 |
AUX apache-2.2.14-staticdhparameters.diff 11745 SHA256 1fecd496f7df6438cf44b331a0b15d6ceaa0522fcb20d7246772f10f7c3c41df SHA512 5c7fa11b29efd430ddc7144ed8d656c82d9609c9da720cd5d217626505b2257c074bea1ef0f4f2c50b123be58d82fbefac3240b71c3b8c3b9b087c30b090bcf9 WHIRLPOOL ced66883bd7fc4ec868a5d6091cdc765424541c183e53283749d73d4f4b53d0c9221950df816625de9bd115f610931e91b1fac819530294fcb12a0a39b7f6f2c |
3 | 4 |
AUX apache-2.2.23-tls-compression-option.diff 4211 SHA256 6ccc0003f486734e660292ac2640d99af830443c09a2d5c9d6aaf371b636d9bd SHA512 915044023b10afca9a67ca90fa4d1175d4d3ef7274308df74c78b0972fd7ec54e3fdb3f4b03ecbfc543b64153b232a140cc8e095b2f74abfcfa0cb86e21fb612 WHIRLPOOL 028be436ac78adcb631b109a23ab7f4b5c2349a95202f8ed33a111b9b2048675892b160ac737875ebe7a73937f8868d665d016a61bdbaec301eacbbad0d1cc05 |
4 | 5 |
AUX apache-2.4.3-dhparam.diff 12684 SHA256 5185da7eecf04f26cc496a25fabe420db065e59dd088eca51b8c08f0238d12ad SHA512 c49e4c6e607cf5bf11e59c929791d806b15ff30d11e8473e633f2ef406e5d926a2ced1910672e5263f8ea45de6f30eb37048065c1d9fbd11fb7c52603e93bd4b WHIRLPOOL 41e2ac7c8c0734e3132639db7222e488b8ffd18a6c2f2e76b401fdc0b71fc528f3d80eb3d95710084b9fa88e29ce916df215c79b47d80c3ae25188f4cea79e9c |
6 |
+AUX apache-2.4.6-modssl-dhparams.diff 48302 SHA256 529b747ab1858966011ed4ffab14bb8c1f015c98ecbdf72cd3a53c70a6a8f220 SHA512 9f8b0710c9b5134213415dc6dceaaad17536072250d403794b074fb690ad1168b9b408996a192017f988728b656d1cff2e18a66c5a9792580870970a6026a3f2 WHIRLPOOL 2252302acb1366c064a7f304282d480b7920989f2b0022ce8487a1da28b86164759f28fa57bd4d9ff0abf65550290e8feea4de4125bcd75cac35b7269d43a868 |
|
5 | 7 |
AUX apache-noip.diff 417 SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc SHA512 fa684688e707f5fb511b228b8fa9b0f996dbf615f2f9b6478ab478e801f14c65a7381137cdbda648d68f7818891085c744da3a8249843e73bdf5ef247a90d3fe WHIRLPOOL d2636a34b0d48139adef125e76ef477d84bf7cd9785f094fe57c1d81b45e7392622d232bee5f53896d8b48eb9b3241cd48cbb585ea70d97a872c5cd3f6bfe420 |
6 | 8 |
AUX apache-npn 9799 SHA256 6e41b59680832b074246dd24a41aec56f9bb35ab4f34674cd20e32f1289c21ab SHA512 60d9c6f750562f087b607edf7939195f31b7e0101b9c8d1c883e3b01da192d354fc291d45832757ab50c029f99ac4ad06fa9b7ce4e5928367d1f89278fa79fa3 WHIRLPOOL 162dba8354efeccbb100a86cb61e47c0a96be11a057cfffccc194abd31721b99f4ef3e5fc9b4a7e82a7495d1369af1be3f7b3d4339ec33af24858a0049474331 |
9 |
+AUX apache.conf 55 SHA256 ea616c5cc37979a006d69c51bda43fca15a4327d33175762652b29f5cdea1c7b SHA512 3a53beb7a283d17c14383f16ad14c0602681ac1b193cce8f5aca50ae9d9af3a71054ce4a9ab11cbcb72fe913459e1b306fd54660154e66afe10272f8c0f149f3 WHIRLPOOL fa348414f320a9f70001386dfb77d57ca4836c3ef3d251976077b7ad545d7f6752e534efadbf28c7dcb777388e3d844eba84b939dcf48881983388daf6ac23f0 |
|
10 |
+AUX apache2.2.service 716 SHA256 e850ad73585fbba52ade58a39ca91adbfd52f56a0bbd426ebcadb340a7dcb62b SHA512 5f736c803772077598248bbb41f76dff396dfd2f11a60d1ba929a619275efb8c1b4c0dab78cbcdf83b9ec94db67b958b3333b01f67d71eb3b2e07dba4bca2a7c WHIRLPOOL 776a928422b8f37a12099111a1503674ca901934b60dca8596dc8bc287390be9a0e912d7ba6226dcb22eb7c669fa298ddc20fd7bf5c275b0cf019bae0d594839 |
|
11 |
+AUX apache2.4.service 728 SHA256 4420af10d1237f90ae519e56e75f1cc84e9f7c7b63aca9decf91a77f88ae0390 SHA512 6b43e5638d5da68a5408d45befd10a9e42197c1a393764e945ba22d47d0736e2b28bad36a96f4f4ad4ff928db6f2c1377bd22ce401056b2f21fb38933a3cd972 WHIRLPOOL 5526995c5f4772353fcccbd83ed93c8186cb47f80f5d1244dc454ca886189ac92539572c43978d2868b77002a2397ff4794b3c8f6c655fecb432b8013afaf38e |
|
7 | 12 |
AUX httpd-2.2.16-ecc.diff 8236 SHA256 e7fe97852875de06372d8413248fa20419946e2ab7de5198c93bffa6b5a68461 SHA512 8b54c30f9edc76bd8969ee894038f267d722d1ab8c7332a84fe21704bde0451e1a27503252fa87bd0f749dac3281eb266cda36aa7faec1a36ee6e67a8f9ae6c7 WHIRLPOOL 2d8ad3cd12b27937dcafef31df8c9fa048fb4e1ed06109e745fbe12dc869ceaa21fa2e62aa9bcb729d7fb426c1ee0a82171b5038cac56f8b8ebbc3cd3569daa9 |
13 |
+AUX httpd-2.4.3-mod_systemd.patch 5396 SHA256 d8f5c76dd5eb0edc9759ea300d3b320ee96b6e6f9fabb8a4043f8d1b77b646a2 SHA512 0db785fac6034aa431e9d816bd06020a5b287dbdae794f8b94eb267805981a1d2a97fdb92bd13e32d35329e6db3f799a03e98456329f6a80c5863e72a26e5c59 WHIRLPOOL 4016b9626af1a8ca001518e8a45262ca4dd27a998727db988a8f1234aa7c5d56d439f4ecfdc6219510f57c97991884a7f57eaa83535988cb72e9fd8ffdee7b6e |
|
8 | 14 |
DIST gentoo-apache-2.2.22-20120213.tar.bz2 64507 SHA256 737730dabf1e1ccfe9d409067dc3c4d37d16f7fa1e792f5bf39268d904ce1c31 SHA512 f364bdbee967b3bc797d2053b9eb347af963f99275441093930d0057465e1a12567106f5c5ac21a45a4bbd4b353ce67553038d6146f469a7bf980a9148471170 WHIRLPOOL f5a3ab44fc14ddf67ccf0785006b1d9f5c49b915114f9d7e97858fba447a5ee872c741e73c17e121b61cc0aa678b42dc154616cd64054461c552d3a8c29f4f17 |
9 | 15 |
DIST gentoo-apache-2.2.23-20121012.tar.bz2 64135 SHA256 711a88f26c58b10b082f7ff411366cd768f9450101da050438a2f77abeab7333 SHA512 92a49f954b82d4427862f41977625a60641731cc25ab3efdd666be8db839038e7b1c2ef2f878d5efed243eaa63237e88ee4993cd25cca1dfbb0f56a6b2093d57 WHIRLPOOL 221d9c0cf999430afc11a8e48ae67019c7f31daca827a5db7615aca24859788743e5da00e4c99b7b7b375e58fafd6c148339e5671be939dbc30735031e12c49f |
10 | 16 |
DIST gentoo-apache-2.4.3-20121012.tar.bz2 24541 SHA256 aeed23c716f05d7430a6d905fb75c192418c9ba90feb96fcc474138c4addfd69 SHA512 fe37c91328bf090aacd4012030845b2e4461a116b9b60d95108c4a4749729bef5ac526d4bd3570406f3d7afe41b0f634c2e9a167ee416a56f5f82f46eb27cc26 WHIRLPOOL 421efb4a7940b52cbc2e054c5ef2f79ff19c13a3140941ec659da3ff61a70491485c1c375db29b1fa6c4dc45761df1f0fc63bd3d867c8937d33f5b6c948bade0 |
... | ... |
@@ -26,4 +32,4 @@ EBUILD apache-2.2.25.ebuild 3297 SHA256 f2a97144d474359d89e67248fa1f7a58c22e1268 |
26 | 32 |
EBUILD apache-2.4.3.ebuild 7203 SHA256 082ee4bc36fe78621a32ad8ae3f3117943b5572e1456618d1b547cf344c4d687 SHA512 56786dc2e5f835e1894760ad85bfba6ffd531b50e7e9f782240ac2deb7464a2aa222cd04495ab7bd81f0e30c91972f417857c9fd4ee53587ebc91ba6a542c41e WHIRLPOOL 4e8e22861a21d8defd9c8eb57fc5548ba38a911db640fc63b6a15fdcfcf86c8fbf50b09f78321ea784bf81340718242d5a7fa6c6ed1c4e0c31a4e79affc64d24 |
27 | 33 |
EBUILD apache-2.4.4-r1.ebuild 7252 SHA256 64b4537ade811698d002a19da3b32dc54fc590c76cab613095f7086502b34dca SHA512 30f72175c5093f6fcee56892b79e3c72106c7f160a5dff3f7f29c0be376ed94271b35f536ec4d3d539f352a90c9d741b368eb8aaeada501da8a22f1f8cfa67dc WHIRLPOOL 0bd24504dcbab1e364209e622f93a5baf78976761f9e4de7a85686417e6077829f8ca1ab7a87724f3c03362249de3fada01c06e9f553ec8bd24cf1bead516a4b |
28 | 34 |
EBUILD apache-2.4.6-r1.ebuild 7476 SHA256 6d6b9331dce777b11cfef9bd8b5e9ac006e93728f549225ab6945cb81037a1a9 SHA512 c5ceb713601e2372bb36bdb705d9a7d7dd8c76ffa09339124b11b0054c180606243b21e2c1e95346a7ac0d0ab302ff88e238a8447b553abf08b8a42b390d9e42 WHIRLPOOL 974cf7113269dfb87c138635abd610aaddf92aa94d9dad508b1c11c3636715d9dcce969e0d7e13db1bf854b0f9c2100c428c351795987708659d3ad3ab9ca9b1 |
29 |
-EBUILD apache-2.4.6-r2.ebuild 7479 SHA256 f03c11e0c4faf54b368158249ab5591d92d9a215ced2f345940c65d462843fac SHA512 16a1f8dbb234feb054b05146f190dab26df1f6b325b0dc4fae429d4864087df915e8a2cffb38395aebe121ff2028c7b7edbb302ce19f2d0781a57e00a59bae03 WHIRLPOOL a386b5572216edffbf829fa51ed65d3896204d0a6562b06bb89d33ffda74c5bc5eb9201ad449a3567f47232f1a5881fb9b84a233cb72ba888f7ceb28042fdd2c |
|
35 |
+EBUILD apache-2.4.6-r2.ebuild 7487 SHA256 6d15eef1bc7ca1b70be5f61e2dfed5f8ae9feb5c3b42142c06ffc1c3a132c2cb SHA512 84d0cb9cf92a09775116702b65fc87cae08cdf0316602f9e1f05278414a9e3a9ebbbd05e4a6c2e61d7100dfb25db9b5535d3e6cc51f7294889ba370166c58be7 WHIRLPOOL 68b4c5223776d6e08c1da9e4caa93245fcf0a6f83327d6a719c0f202eb14b4a339e7105f872ca062e5f4f1f6fced87e6ddab6fc3c3f412fa6117d545e27a3dc2 |
... | ... |
@@ -136,7 +136,7 @@ RDEPEND="${RDEPEND} |
136 | 136 |
|
137 | 137 |
# init script fixup - should be rolled into next tarball #389965 |
138 | 138 |
src_prepare() { |
139 |
- epatch "${FILESDIR}/apache-2.4.3-dhparam.diff" |
|
139 |
+ epatch "${FILESDIR}/apache-2.4.6-modssl-dhparams.diff" |
|
140 | 140 |
|
141 | 141 |
# the following patch can be removed once it is included in |
142 | 142 |
# GENTOO_PATCHNAME="gentoo-apache-2.4.1" ... |
... | ... |
@@ -0,0 +1,1552 @@ |
1 |
+diff -Naur httpd-2.4.6-orig/LAYOUT httpd-2.4.6/LAYOUT |
|
2 |
+--- httpd-2.4.6-orig/LAYOUT 2013-10-01 12:20:45.706812951 +0200 |
|
3 |
++++ httpd-2.4.6/LAYOUT 2013-10-01 12:20:50.988746918 +0200 |
|
4 |
+@@ -108,7 +108,6 @@ |
|
5 |
+ mod_ssl.c ............... main source file containing API structures |
|
6 |
+ mod_ssl.h ............... common header file of mod_ssl |
|
7 |
+ ssl_engine_config.c ..... module configuration handling |
|
8 |
+- ssl_engine_dh.c ......... DSA/DH support |
|
9 |
+ ssl_engine_init.c ....... module initialization |
|
10 |
+ ssl_engine_io.c ......... I/O support |
|
11 |
+ ssl_engine_kernel.c ..... SSL engine kernel |
|
12 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/config.m4 httpd-2.4.6/modules/ssl/config.m4 |
|
13 |
+--- httpd-2.4.6-orig/modules/ssl/config.m4 2013-10-01 12:20:45.774812101 +0200 |
|
14 |
++++ httpd-2.4.6/modules/ssl/config.m4 2013-10-01 12:20:50.989746905 +0200 |
|
15 |
+@@ -20,7 +20,6 @@ |
|
16 |
+ ssl_objs="dnl |
|
17 |
+ mod_ssl.lo dnl |
|
18 |
+ ssl_engine_config.lo dnl |
|
19 |
+-ssl_engine_dh.lo dnl |
|
20 |
+ ssl_engine_init.lo dnl |
|
21 |
+ ssl_engine_io.lo dnl |
|
22 |
+ ssl_engine_kernel.lo dnl |
|
23 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/mod_ssl.c httpd-2.4.6/modules/ssl/mod_ssl.c |
|
24 |
+--- httpd-2.4.6-orig/modules/ssl/mod_ssl.c 2013-10-01 12:20:45.775812088 +0200 |
|
25 |
++++ httpd-2.4.6/modules/ssl/mod_ssl.c 2013-10-01 12:20:50.989746905 +0200 |
|
26 |
+@@ -148,7 +148,7 @@ |
|
27 |
+ SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, |
|
28 |
+ "Strict SNI virtual host checking") |
|
29 |
+ |
|
30 |
+-#ifndef OPENSSL_NO_SRP |
|
31 |
++#ifdef HAVE_SRP |
|
32 |
+ SSL_CMD_SRV(SRPVerifierFile, TAKE1, |
|
33 |
+ "SRP verifier file " |
|
34 |
+ "('/path/to/file' - created by srptool)") |
|
35 |
+@@ -471,15 +471,6 @@ |
|
36 |
+ |
|
37 |
+ sslconn->ssl = ssl; |
|
38 |
+ |
|
39 |
+- /* |
|
40 |
+- * Configure callbacks for SSL connection |
|
41 |
+- */ |
|
42 |
+- SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); |
|
43 |
+- SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); |
|
44 |
+-#ifndef OPENSSL_NO_EC |
|
45 |
+- SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH); |
|
46 |
+-#endif |
|
47 |
+- |
|
48 |
+ SSL_set_verify_result(ssl, X509_V_OK); |
|
49 |
+ |
|
50 |
+ ssl_io_filter_init(c, r, ssl); |
|
51 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/mod_ssl.dsp httpd-2.4.6/modules/ssl/mod_ssl.dsp |
|
52 |
+--- httpd-2.4.6-orig/modules/ssl/mod_ssl.dsp 2013-10-01 12:20:45.775812088 +0200 |
|
53 |
++++ httpd-2.4.6/modules/ssl/mod_ssl.dsp 2013-10-01 12:20:50.989746905 +0200 |
|
54 |
+@@ -112,10 +112,6 @@ |
|
55 |
+ # End Source File |
|
56 |
+ # Begin Source File |
|
57 |
+ |
|
58 |
+-SOURCE=.\ssl_engine_dh.c |
|
59 |
+-# End Source File |
|
60 |
+-# Begin Source File |
|
61 |
+- |
|
62 |
+ SOURCE=.\ssl_engine_init.c |
|
63 |
+ # End Source File |
|
64 |
+ # Begin Source File |
|
65 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_config.c httpd-2.4.6/modules/ssl/ssl_engine_config.c |
|
66 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_config.c 2013-10-01 12:20:45.776812076 +0200 |
|
67 |
++++ httpd-2.4.6/modules/ssl/ssl_engine_config.c 2013-10-01 12:20:50.989746905 +0200 |
|
68 |
+@@ -75,8 +75,6 @@ |
|
69 |
+ mc->stapling_mutex = NULL; |
|
70 |
+ #endif |
|
71 |
+ |
|
72 |
+- memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); |
|
73 |
+- |
|
74 |
+ apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY, |
|
75 |
+ apr_pool_cleanup_null, |
|
76 |
+ pool); |
|
77 |
+@@ -150,7 +148,7 @@ |
|
78 |
+ mctx->stapling_force_url = NULL; |
|
79 |
+ #endif |
|
80 |
+ |
|
81 |
+-#ifndef OPENSSL_NO_SRP |
|
82 |
++#ifdef HAVE_SRP |
|
83 |
+ mctx->srp_vfile = NULL; |
|
84 |
+ mctx->srp_unknown_user_seed = NULL; |
|
85 |
+ mctx->srp_vbase = NULL; |
|
86 |
+@@ -208,7 +206,7 @@ |
|
87 |
+ sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET; |
|
88 |
+ sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET; |
|
89 |
+ sc->proxy_ssl_check_peer_name = SSL_ENABLED_UNSET; |
|
90 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
91 |
++#ifdef HAVE_TLSEXT |
|
92 |
+ sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; |
|
93 |
+ #endif |
|
94 |
+ #ifdef HAVE_FIPS |
|
95 |
+@@ -282,7 +280,7 @@ |
|
96 |
+ cfgMerge(stapling_force_url, NULL); |
|
97 |
+ #endif |
|
98 |
+ |
|
99 |
+-#ifndef OPENSSL_NO_SRP |
|
100 |
++#ifdef HAVE_SRP |
|
101 |
+ cfgMergeString(srp_vfile); |
|
102 |
+ cfgMergeString(srp_unknown_user_seed); |
|
103 |
+ #endif |
|
104 |
+@@ -338,7 +336,7 @@ |
|
105 |
+ cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET); |
|
106 |
+ cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET); |
|
107 |
+ cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET); |
|
108 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
109 |
++#ifdef HAVE_TLSEXT |
|
110 |
+ cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); |
|
111 |
+ #endif |
|
112 |
+ #ifdef HAVE_FIPS |
|
113 |
+@@ -645,6 +643,9 @@ |
|
114 |
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); |
|
115 |
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; |
|
116 |
+ |
|
117 |
++ /* always disable null and export ciphers */ |
|
118 |
++ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); |
|
119 |
++ |
|
120 |
+ if (cmd->path) { |
|
121 |
+ dc->szCipherSuite = arg; |
|
122 |
+ } |
|
123 |
+@@ -1384,6 +1385,9 @@ |
|
124 |
+ { |
|
125 |
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); |
|
126 |
+ |
|
127 |
++ /* always disable null and export ciphers */ |
|
128 |
++ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); |
|
129 |
++ |
|
130 |
+ sc->proxy->auth.cipher_suite = arg; |
|
131 |
+ |
|
132 |
+ return NULL; |
|
133 |
+@@ -1645,7 +1649,7 @@ |
|
134 |
+ |
|
135 |
+ const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag) |
|
136 |
+ { |
|
137 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
138 |
++#ifdef HAVE_TLSEXT |
|
139 |
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); |
|
140 |
+ |
|
141 |
+ sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; |
|
142 |
+@@ -1804,7 +1808,7 @@ |
|
143 |
+ |
|
144 |
+ #endif /* HAVE_OCSP_STAPLING */ |
|
145 |
+ |
|
146 |
+-#ifndef OPENSSL_NO_SRP |
|
147 |
++#ifdef HAVE_SRP |
|
148 |
+ |
|
149 |
+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, |
|
150 |
+ const char *arg) |
|
151 |
+@@ -1828,7 +1832,7 @@ |
|
152 |
+ return NULL; |
|
153 |
+ } |
|
154 |
+ |
|
155 |
+-#endif /* OPENSSL_NO_SRP */ |
|
156 |
++#endif /* HAVE_SRP */ |
|
157 |
+ |
|
158 |
+ void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) |
|
159 |
+ { |
|
160 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_dh.c httpd-2.4.6/modules/ssl/ssl_engine_dh.c |
|
161 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_dh.c 2013-10-01 12:20:45.777812063 +0200 |
|
162 |
++++ httpd-2.4.6/modules/ssl/ssl_engine_dh.c 2013-10-01 12:20:50.990746893 +0200 |
|
163 |
+@@ -1,244 +0,0 @@ |
|
164 |
+-#if 0 |
|
165 |
+-=pod |
|
166 |
+-#endif |
|
167 |
+- |
|
168 |
+-/* Licensed to the Apache Software Foundation (ASF) under one or more |
|
169 |
+- * contributor license agreements. See the NOTICE file distributed with |
|
170 |
+- * this work for additional information regarding copyright ownership. |
|
171 |
+- * The ASF licenses this file to You under the Apache License, Version 2.0 |
|
172 |
+- * (the "License"); you may not use this file except in compliance with |
|
173 |
+- * the License. You may obtain a copy of the License at |
|
174 |
+- * |
|
175 |
+- * http://www.apache.org/licenses/LICENSE-2.0 |
|
176 |
+- * |
|
177 |
+- * Unless required by applicable law or agreed to in writing, software |
|
178 |
+- * distributed under the License is distributed on an "AS IS" BASIS, |
|
179 |
+- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
180 |
+- * See the License for the specific language governing permissions and |
|
181 |
+- * limitations under the License. |
|
182 |
+- */ |
|
183 |
+- |
|
184 |
+-/* _ _ |
|
185 |
+- * _ __ ___ ___ __| | ___ ___| | mod_ssl |
|
186 |
+- * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL |
|
187 |
+- * | | | | | | (_) | (_| | \__ \__ \ | |
|
188 |
+- * |_| |_| |_|\___/ \__,_|___|___/___/_| |
|
189 |
+- * |_____| |
|
190 |
+- * ssl_engine_dh.c |
|
191 |
+- * Diffie-Hellman Built-in Temporary Parameters |
|
192 |
+- */ |
|
193 |
+- |
|
194 |
+-#include "ssl_private.h" |
|
195 |
+- |
|
196 |
+-/* ----BEGIN GENERATED SECTION-------- */ |
|
197 |
+- |
|
198 |
+-/* |
|
199 |
+-** Diffie-Hellman-Parameters: (512 bit) |
|
200 |
+-** prime: |
|
201 |
+-** 00:9f:db:8b:8a:00:45:44:f0:04:5f:17:37:d0:ba: |
|
202 |
+-** 2e:0b:27:4c:df:1a:9f:58:82:18:fb:43:53:16:a1: |
|
203 |
+-** 6e:37:41:71:fd:19:d8:d8:f3:7c:39:bf:86:3f:d6: |
|
204 |
+-** 0e:3e:30:06:80:a3:03:0c:6e:4c:37:57:d0:8f:70: |
|
205 |
+-** e6:aa:87:10:33 |
|
206 |
+-** generator: 2 (0x2) |
|
207 |
+-** Diffie-Hellman-Parameters: (1024 bit) |
|
208 |
+-** prime: |
|
209 |
+-** 00:d6:7d:e4:40:cb:bb:dc:19:36:d6:93:d3:4a:fd: |
|
210 |
+-** 0a:d5:0c:84:d2:39:a4:5f:52:0b:b8:81:74:cb:98: |
|
211 |
+-** bc:e9:51:84:9f:91:2e:63:9c:72:fb:13:b4:b4:d7: |
|
212 |
+-** 17:7e:16:d5:5a:c1:79:ba:42:0b:2a:29:fe:32:4a: |
|
213 |
+-** 46:7a:63:5e:81:ff:59:01:37:7b:ed:dc:fd:33:16: |
|
214 |
+-** 8a:46:1a:ad:3b:72:da:e8:86:00:78:04:5b:07:a7: |
|
215 |
+-** db:ca:78:74:08:7d:15:10:ea:9f:cc:9d:dd:33:05: |
|
216 |
+-** 07:dd:62:db:88:ae:aa:74:7d:e0:f4:d6:e2:bd:68: |
|
217 |
+-** b0:e7:39:3e:0f:24:21:8e:b3 |
|
218 |
+-** generator: 2 (0x2) |
|
219 |
+-*/ |
|
220 |
+- |
|
221 |
+-static unsigned char dh512_p[] = { |
|
222 |
+- 0x9F, 0xDB, 0x8B, 0x8A, 0x00, 0x45, 0x44, 0xF0, 0x04, 0x5F, 0x17, 0x37, |
|
223 |
+- 0xD0, 0xBA, 0x2E, 0x0B, 0x27, 0x4C, 0xDF, 0x1A, 0x9F, 0x58, 0x82, 0x18, |
|
224 |
+- 0xFB, 0x43, 0x53, 0x16, 0xA1, 0x6E, 0x37, 0x41, 0x71, 0xFD, 0x19, 0xD8, |
|
225 |
+- 0xD8, 0xF3, 0x7C, 0x39, 0xBF, 0x86, 0x3F, 0xD6, 0x0E, 0x3E, 0x30, 0x06, |
|
226 |
+- 0x80, 0xA3, 0x03, 0x0C, 0x6E, 0x4C, 0x37, 0x57, 0xD0, 0x8F, 0x70, 0xE6, |
|
227 |
+- 0xAA, 0x87, 0x10, 0x33, |
|
228 |
+-}; |
|
229 |
+-static unsigned char dh512_g[] = { |
|
230 |
+- 0x02, |
|
231 |
+-}; |
|
232 |
+- |
|
233 |
+-static DH *get_dh512(void) |
|
234 |
+-{ |
|
235 |
+- DH *dh; |
|
236 |
+- |
|
237 |
+- if (!(dh = DH_new())) { |
|
238 |
+- return NULL; |
|
239 |
+- } |
|
240 |
+- |
|
241 |
+- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); |
|
242 |
+- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); |
|
243 |
+- if (!(dh->p && dh->g)) { |
|
244 |
+- DH_free(dh); |
|
245 |
+- return NULL; |
|
246 |
+- } |
|
247 |
+- |
|
248 |
+- return dh; |
|
249 |
+-} |
|
250 |
+- |
|
251 |
+-static unsigned char dh1024_p[] = { |
|
252 |
+- 0xD6, 0x7D, 0xE4, 0x40, 0xCB, 0xBB, 0xDC, 0x19, 0x36, 0xD6, 0x93, 0xD3, |
|
253 |
+- 0x4A, 0xFD, 0x0A, 0xD5, 0x0C, 0x84, 0xD2, 0x39, 0xA4, 0x5F, 0x52, 0x0B, |
|
254 |
+- 0xB8, 0x81, 0x74, 0xCB, 0x98, 0xBC, 0xE9, 0x51, 0x84, 0x9F, 0x91, 0x2E, |
|
255 |
+- 0x63, 0x9C, 0x72, 0xFB, 0x13, 0xB4, 0xB4, 0xD7, 0x17, 0x7E, 0x16, 0xD5, |
|
256 |
+- 0x5A, 0xC1, 0x79, 0xBA, 0x42, 0x0B, 0x2A, 0x29, 0xFE, 0x32, 0x4A, 0x46, |
|
257 |
+- 0x7A, 0x63, 0x5E, 0x81, 0xFF, 0x59, 0x01, 0x37, 0x7B, 0xED, 0xDC, 0xFD, |
|
258 |
+- 0x33, 0x16, 0x8A, 0x46, 0x1A, 0xAD, 0x3B, 0x72, 0xDA, 0xE8, 0x86, 0x00, |
|
259 |
+- 0x78, 0x04, 0x5B, 0x07, 0xA7, 0xDB, 0xCA, 0x78, 0x74, 0x08, 0x7D, 0x15, |
|
260 |
+- 0x10, 0xEA, 0x9F, 0xCC, 0x9D, 0xDD, 0x33, 0x05, 0x07, 0xDD, 0x62, 0xDB, |
|
261 |
+- 0x88, 0xAE, 0xAA, 0x74, 0x7D, 0xE0, 0xF4, 0xD6, 0xE2, 0xBD, 0x68, 0xB0, |
|
262 |
+- 0xE7, 0x39, 0x3E, 0x0F, 0x24, 0x21, 0x8E, 0xB3, |
|
263 |
+-}; |
|
264 |
+-static unsigned char dh1024_g[] = { |
|
265 |
+- 0x02, |
|
266 |
+-}; |
|
267 |
+- |
|
268 |
+-static DH *get_dh1024(void) |
|
269 |
+-{ |
|
270 |
+- DH *dh; |
|
271 |
+- |
|
272 |
+- if (!(dh = DH_new())) { |
|
273 |
+- return NULL; |
|
274 |
+- } |
|
275 |
+- |
|
276 |
+- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); |
|
277 |
+- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); |
|
278 |
+- if (!(dh->p && dh->g)) { |
|
279 |
+- DH_free(dh); |
|
280 |
+- return NULL; |
|
281 |
+- } |
|
282 |
+- |
|
283 |
+- return dh; |
|
284 |
+-} |
|
285 |
+- |
|
286 |
+-/* ----END GENERATED SECTION---------- */ |
|
287 |
+- |
|
288 |
+-DH *ssl_dh_GetTmpParam(int nKeyLen) |
|
289 |
+-{ |
|
290 |
+- DH *dh; |
|
291 |
+- |
|
292 |
+- if (nKeyLen == 512) |
|
293 |
+- dh = get_dh512(); |
|
294 |
+- else if (nKeyLen == 1024) |
|
295 |
+- dh = get_dh1024(); |
|
296 |
+- else |
|
297 |
+- dh = get_dh1024(); |
|
298 |
+- return dh; |
|
299 |
+-} |
|
300 |
+- |
|
301 |
+-DH *ssl_dh_GetParamFromFile(char *file) |
|
302 |
+-{ |
|
303 |
+- DH *dh = NULL; |
|
304 |
+- BIO *bio; |
|
305 |
+- |
|
306 |
+- if ((bio = BIO_new_file(file, "r")) == NULL) |
|
307 |
+- return NULL; |
|
308 |
+- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
|
309 |
+- BIO_free(bio); |
|
310 |
+- return (dh); |
|
311 |
+-} |
|
312 |
+- |
|
313 |
+-/* |
|
314 |
+-=cut |
|
315 |
+-## |
|
316 |
+-## Embedded Perl script for generating the temporary DH parameters |
|
317 |
+-## |
|
318 |
+- |
|
319 |
+-require 5.003; |
|
320 |
+-use strict; |
|
321 |
+- |
|
322 |
+-# configuration |
|
323 |
+-my $file = $0; |
|
324 |
+-my $begin = '----BEGIN GENERATED SECTION--------'; |
|
325 |
+-my $end = '----END GENERATED SECTION----------'; |
|
326 |
+- |
|
327 |
+-# read ourself and keep a backup |
|
328 |
+-open(FP, "<$file") || die; |
|
329 |
+-my $source = ''; |
|
330 |
+-$source .= $_ while (<FP>); |
|
331 |
+-close(FP); |
|
332 |
+-open(FP, ">$file.bak") || die; |
|
333 |
+-print FP $source; |
|
334 |
+-close(FP); |
|
335 |
+- |
|
336 |
+-# generate the DH parameters |
|
337 |
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; |
|
338 |
+-my $rand = ''; |
|
339 |
+-foreach $file (qw(/var/log/messages /var/adm/messages |
|
340 |
+- /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { |
|
341 |
+- if (-f $file) { |
|
342 |
+- $rand = $file if ($rand eq ''); |
|
343 |
+- $rand .= ":$file" if ($rand ne ''); |
|
344 |
+- } |
|
345 |
+-} |
|
346 |
+-$rand = "-rand $rand" if ($rand ne ''); |
|
347 |
+-system("openssl gendh $rand -out dh512.pem 512"); |
|
348 |
+-system("openssl gendh $rand -out dh1024.pem 1024"); |
|
349 |
+- |
|
350 |
+-# generate DH param info |
|
351 |
+-my $dhinfo = ''; |
|
352 |
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die; |
|
353 |
+-$dhinfo .= $_ while (<FP>); |
|
354 |
+-close(FP); |
|
355 |
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; |
|
356 |
+-$dhinfo .= $_ while (<FP>); |
|
357 |
+-close(FP); |
|
358 |
+-$dhinfo =~ s|^|** |mg; |
|
359 |
+-$dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; |
|
360 |
+- |
|
361 |
+-my $indent_args = "-i4 -npsl -di0 -br -nce -d0 -cli0 -npcs -nfc1"; |
|
362 |
+- |
|
363 |
+-# generate C source from DH params |
|
364 |
+-my $dhsource = ''; |
|
365 |
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent $indent_args | expand |") || die; |
|
366 |
+-$dhsource .= $_ while (<FP>); |
|
367 |
+-close(FP); |
|
368 |
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent $indent_args | expand |") || die; |
|
369 |
+-$dhsource .= $_ while (<FP>); |
|
370 |
+-close(FP); |
|
371 |
+-$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) |
|
372 |
+-{ |
|
373 |
+- DH *dh; |
|
374 |
+- |
|
375 |
+- if (!(dh = DH_new())) { |
|
376 |
+- return NULL; |
|
377 |
+- } |
|
378 |
+- |
|
379 |
+- dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL); |
|
380 |
+- dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL); |
|
381 |
+- if (!(dh->p && dh->g)) { |
|
382 |
+- DH_free(dh); |
|
383 |
+- return NULL; |
|
384 |
+- } |
|
385 |
+- |
|
386 |
+- return dh; |
|
387 |
+-} |
|
388 |
+-|sg; |
|
389 |
+- |
|
390 |
+-# generate output |
|
391 |
+-my $o = $dhinfo . $dhsource; |
|
392 |
+- |
|
393 |
+-# insert the generated code at the target location |
|
394 |
+-$source =~ s|(\/\* $begin.+?\n).*\n(.*?\/\* $end)|$1$o$2|s; |
|
395 |
+- |
|
396 |
+-# and update the source on disk |
|
397 |
+-print "Updating file `$file'\n"; |
|
398 |
+-open(FP, ">$file") || die; |
|
399 |
+-print FP $source; |
|
400 |
+-close(FP); |
|
401 |
+- |
|
402 |
+-# cleanup |
|
403 |
+-unlink("dh512.pem"); |
|
404 |
+-unlink("dh1024.pem"); |
|
405 |
+- |
|
406 |
+-=pod |
|
407 |
+-*/ |
|
408 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_init.c httpd-2.4.6/modules/ssl/ssl_engine_init.c |
|
409 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_init.c 2013-10-01 12:20:45.777812063 +0200 |
|
410 |
++++ httpd-2.4.6/modules/ssl/ssl_engine_init.c 2013-10-01 12:20:50.990746893 +0200 |
|
411 |
+@@ -35,7 +35,7 @@ |
|
412 |
+ ** _________________________________________________________________ |
|
413 |
+ */ |
|
414 |
+ |
|
415 |
+-#ifndef OPENSSL_NO_EC |
|
416 |
++#ifdef HAVE_ECC |
|
417 |
+ #define KEYTYPES "RSA, DSA or ECC" |
|
418 |
+ #else |
|
419 |
+ #define KEYTYPES "RSA or DSA" |
|
420 |
+@@ -56,180 +56,6 @@ |
|
421 |
+ modver, AP_SERVER_BASEVERSION, incver); |
|
422 |
+ } |
|
423 |
+ |
|
424 |
+- |
|
425 |
+-/* |
|
426 |
+- * Handle the Temporary RSA Keys and DH Params |
|
427 |
+- */ |
|
428 |
+- |
|
429 |
+-#define MODSSL_TMP_KEY_FREE(mc, type, idx) \ |
|
430 |
+- if (mc->pTmpKeys[idx]) { \ |
|
431 |
+- type##_free((type *)mc->pTmpKeys[idx]); \ |
|
432 |
+- mc->pTmpKeys[idx] = NULL; \ |
|
433 |
+- } |
|
434 |
+- |
|
435 |
+-#define MODSSL_TMP_KEYS_FREE(mc, type) \ |
|
436 |
+- MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_512); \ |
|
437 |
+- MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_1024) |
|
438 |
+- |
|
439 |
+-static void ssl_tmp_keys_free(server_rec *s) |
|
440 |
+-{ |
|
441 |
+- SSLModConfigRec *mc = myModConfig(s); |
|
442 |
+- |
|
443 |
+- MODSSL_TMP_KEYS_FREE(mc, RSA); |
|
444 |
+- MODSSL_TMP_KEYS_FREE(mc, DH); |
|
445 |
+-#ifndef OPENSSL_NO_EC |
|
446 |
+- MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256); |
|
447 |
+-#endif |
|
448 |
+-} |
|
449 |
+- |
|
450 |
+-static int ssl_tmp_key_init_rsa(server_rec *s, |
|
451 |
+- int bits, int idx) |
|
452 |
+-{ |
|
453 |
+- SSLModConfigRec *mc = myModConfig(s); |
|
454 |
+- |
|
455 |
+-#ifdef HAVE_FIPS |
|
456 |
+- |
|
457 |
+- if (FIPS_mode() && bits < 1024) { |
|
458 |
+- mc->pTmpKeys[idx] = NULL; |
|
459 |
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01877) |
|
460 |
+- "Init: Skipping generating temporary " |
|
461 |
+- "%d bit RSA private key in FIPS mode", bits); |
|
462 |
+- return OK; |
|
463 |
+- } |
|
464 |
+- |
|
465 |
+-#endif |
|
466 |
+-#ifdef HAVE_GENERATE_EX |
|
467 |
+- { |
|
468 |
+- RSA *tkey; |
|
469 |
+- BIGNUM *bn_f4; |
|
470 |
+- if (!(tkey = RSA_new()) |
|
471 |
+- || !(bn_f4 = BN_new()) |
|
472 |
+- || !BN_set_word(bn_f4, RSA_F4) |
|
473 |
+- || !RSA_generate_key_ex(tkey, bits, bn_f4, NULL)) |
|
474 |
+- { |
|
475 |
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01878) |
|
476 |
+- "Init: Failed to generate temporary " |
|
477 |
+- "%d bit RSA private key", bits); |
|
478 |
+- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); |
|
479 |
+- return !OK; |
|
480 |
+- } |
|
481 |
+- BN_free(bn_f4); |
|
482 |
+- mc->pTmpKeys[idx] = tkey; |
|
483 |
+- } |
|
484 |
+-#else |
|
485 |
+- if (!(mc->pTmpKeys[idx] = |
|
486 |
+- RSA_generate_key(bits, RSA_F4, NULL, NULL))) |
|
487 |
+- { |
|
488 |
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01879) |
|
489 |
+- "Init: Failed to generate temporary " |
|
490 |
+- "%d bit RSA private key", bits); |
|
491 |
+- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); |
|
492 |
+- return !OK; |
|
493 |
+- } |
|
494 |
+-#endif |
|
495 |
+- |
|
496 |
+- return OK; |
|
497 |
+-} |
|
498 |
+- |
|
499 |
+-static int ssl_tmp_key_init_dh(server_rec *s, |
|
500 |
+- int bits, int idx) |
|
501 |
+-{ |
|
502 |
+- SSLModConfigRec *mc = myModConfig(s); |
|
503 |
+- |
|
504 |
+-#ifdef HAVE_FIPS |
|
505 |
+- |
|
506 |
+- if (FIPS_mode() && bits < 1024) { |
|
507 |
+- mc->pTmpKeys[idx] = NULL; |
|
508 |
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01880) |
|
509 |
+- "Init: Skipping generating temporary " |
|
510 |
+- "%d bit DH parameters in FIPS mode", bits); |
|
511 |
+- return OK; |
|
512 |
+- } |
|
513 |
+- |
|
514 |
+-#endif |
|
515 |
+- |
|
516 |
+- if (!(mc->pTmpKeys[idx] = |
|
517 |
+- ssl_dh_GetTmpParam(bits))) |
|
518 |
+- { |
|
519 |
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01881) |
|
520 |
+- "Init: Failed to generate temporary " |
|
521 |
+- "%d bit DH parameters", bits); |
|
522 |
+- return !OK; |
|
523 |
+- } |
|
524 |
+- |
|
525 |
+- return OK; |
|
526 |
+-} |
|
527 |
+- |
|
528 |
+-#ifndef OPENSSL_NO_EC |
|
529 |
+-static int ssl_tmp_key_init_ec(server_rec *s, |
|
530 |
+- int bits, int idx) |
|
531 |
+-{ |
|
532 |
+- SSLModConfigRec *mc = myModConfig(s); |
|
533 |
+- EC_KEY *ecdh = NULL; |
|
534 |
+- |
|
535 |
+- /* XXX: Are there any FIPS constraints we should enforce? */ |
|
536 |
+- |
|
537 |
+- if (bits != 256) { |
|
538 |
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02298) |
|
539 |
+- "Init: Failed to generate temporary " |
|
540 |
+- "%d bit EC parameters, only 256 bits supported", bits); |
|
541 |
+- return !OK; |
|
542 |
+- } |
|
543 |
+- |
|
544 |
+- if ((ecdh = EC_KEY_new()) == NULL || |
|
545 |
+- EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1) |
|
546 |
+- { |
|
547 |
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02299) |
|
548 |
+- "Init: Failed to generate temporary " |
|
549 |
+- "%d bit EC parameters", bits); |
|
550 |
+- return !OK; |
|
551 |
+- } |
|
552 |
+- |
|
553 |
+- mc->pTmpKeys[idx] = ecdh; |
|
554 |
+- return OK; |
|
555 |
+-} |
|
556 |
+- |
|
557 |
+-#define MODSSL_TMP_KEY_INIT_EC(s, bits) \ |
|
558 |
+- ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits) |
|
559 |
+- |
|
560 |
+-#endif |
|
561 |
+- |
|
562 |
+-#define MODSSL_TMP_KEY_INIT_RSA(s, bits) \ |
|
563 |
+- ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits) |
|
564 |
+- |
|
565 |
+-#define MODSSL_TMP_KEY_INIT_DH(s, bits) \ |
|
566 |
+- ssl_tmp_key_init_dh(s, bits, SSL_TMP_KEY_DH_##bits) |
|
567 |
+- |
|
568 |
+-static int ssl_tmp_keys_init(server_rec *s) |
|
569 |
+-{ |
|
570 |
+- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, |
|
571 |
+- "Init: Generating temporary RSA private keys (512/1024 bits)"); |
|
572 |
+- |
|
573 |
+- if (MODSSL_TMP_KEY_INIT_RSA(s, 512) || |
|
574 |
+- MODSSL_TMP_KEY_INIT_RSA(s, 1024)) { |
|
575 |
+- return !OK; |
|
576 |
+- } |
|
577 |
+- |
|
578 |
+- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, |
|
579 |
+- "Init: Generating temporary DH parameters (512/1024 bits)"); |
|
580 |
+- |
|
581 |
+- if (MODSSL_TMP_KEY_INIT_DH(s, 512) || |
|
582 |
+- MODSSL_TMP_KEY_INIT_DH(s, 1024)) { |
|
583 |
+- return !OK; |
|
584 |
+- } |
|
585 |
+- |
|
586 |
+-#ifndef OPENSSL_NO_EC |
|
587 |
+- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, |
|
588 |
+- "Init: Generating temporary EC parameters (256 bits)"); |
|
589 |
+- |
|
590 |
+- if (MODSSL_TMP_KEY_INIT_EC(s, 256)) { |
|
591 |
+- return !OK; |
|
592 |
+- } |
|
593 |
+-#endif |
|
594 |
+- |
|
595 |
+- return OK; |
|
596 |
+-} |
|
597 |
+- |
|
598 |
+ /* |
|
599 |
+ * Per-module initialization |
|
600 |
+ */ |
|
601 |
+@@ -367,10 +193,6 @@ |
|
602 |
+ */ |
|
603 |
+ ssl_pphrase_Handle(base_server, ptemp); |
|
604 |
+ |
|
605 |
+- if (ssl_tmp_keys_init(base_server)) { |
|
606 |
+- return !OK; |
|
607 |
+- } |
|
608 |
+- |
|
609 |
+ /* |
|
610 |
+ * initialize the mutex handling |
|
611 |
+ */ |
|
612 |
+@@ -481,7 +303,7 @@ |
|
613 |
+ */ |
|
614 |
+ if (mctx->pks->certs[SSL_AIDX_RSA] || |
|
615 |
+ mctx->pks->certs[SSL_AIDX_DSA] |
|
616 |
+-#ifndef OPENSSL_NO_EC |
|
617 |
++#ifdef HAVE_ECC |
|
618 |
+ || mctx->pks->certs[SSL_AIDX_ECC] |
|
619 |
+ #endif |
|
620 |
+ ) |
|
621 |
+@@ -493,7 +315,7 @@ |
|
622 |
+ } |
|
623 |
+ } |
|
624 |
+ |
|
625 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
626 |
++#ifdef HAVE_TLSEXT |
|
627 |
+ static void ssl_init_ctx_tls_extensions(server_rec *s, |
|
628 |
+ apr_pool_t *p, |
|
629 |
+ apr_pool_t *ptemp, |
|
630 |
+@@ -527,7 +349,7 @@ |
|
631 |
+ } |
|
632 |
+ #endif |
|
633 |
+ |
|
634 |
+-#ifndef OPENSSL_NO_SRP |
|
635 |
++#ifdef HAVE_SRP |
|
636 |
+ /* |
|
637 |
+ * TLS-SRP support |
|
638 |
+ */ |
|
639 |
+@@ -660,7 +482,7 @@ |
|
640 |
+ #ifdef SSL_OP_NO_COMPRESSION |
|
641 |
+ /* OpenSSL >= 1.0 only */ |
|
642 |
+ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); |
|
643 |
+-#elif OPENSSL_VERSION_NUMBER >= 0x00908000L |
|
644 |
++#else |
|
645 |
+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); |
|
646 |
+ #endif |
|
647 |
+ } |
|
648 |
+@@ -678,6 +500,9 @@ |
|
649 |
+ * Configure additional context ingredients |
|
650 |
+ */ |
|
651 |
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); |
|
652 |
++#ifdef HAVE_ECC |
|
653 |
++ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); |
|
654 |
++#endif |
|
655 |
+ |
|
656 |
+ #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
|
657 |
+ /* |
|
658 |
+@@ -718,11 +543,7 @@ |
|
659 |
+ { |
|
660 |
+ SSL_CTX *ctx = mctx->ssl_ctx; |
|
661 |
+ |
|
662 |
+- SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); |
|
663 |
+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); |
|
664 |
+-#ifndef OPENSSL_NO_EC |
|
665 |
+- SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH); |
|
666 |
+-#endif |
|
667 |
+ |
|
668 |
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); |
|
669 |
+ } |
|
670 |
+@@ -818,14 +639,16 @@ |
|
671 |
+ modssl_ctx_t *mctx) |
|
672 |
+ { |
|
673 |
+ SSL_CTX *ctx = mctx->ssl_ctx; |
|
674 |
+- const char *suite = mctx->auth.cipher_suite; |
|
675 |
++ const char *suite; |
|
676 |
+ |
|
677 |
+ /* |
|
678 |
+- * Configure SSL Cipher Suite |
|
679 |
++ * Configure SSL Cipher Suite. Always disable NULL and export ciphers, |
|
680 |
++ * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite(). |
|
681 |
++ * OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL, |
|
682 |
++ * so only prepend !EXP in this case. |
|
683 |
+ */ |
|
684 |
+- if (!suite) { |
|
685 |
+- return; |
|
686 |
+- } |
|
687 |
++ suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite : |
|
688 |
++ apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL); |
|
689 |
+ |
|
690 |
+ ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, |
|
691 |
+ "Configuring permitted SSL ciphers [%s]", |
|
692 |
+@@ -988,7 +811,7 @@ |
|
693 |
+ if (mctx->pks) { |
|
694 |
+ /* XXX: proxy support? */ |
|
695 |
+ ssl_init_ctx_cert_chain(s, p, ptemp, mctx); |
|
696 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
697 |
++#ifdef HAVE_TLSEXT |
|
698 |
+ ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); |
|
699 |
+ #endif |
|
700 |
+ } |
|
701 |
+@@ -1001,7 +824,7 @@ |
|
702 |
+ { |
|
703 |
+ SSLModConfigRec *mc = myModConfig(s); |
|
704 |
+ ssl_asn1_t *asn1; |
|
705 |
+- MODSSL_D2I_X509_CONST unsigned char *ptr; |
|
706 |
++ const unsigned char *ptr; |
|
707 |
+ const char *type = ssl_asn1_keystr(idx); |
|
708 |
+ X509 *cert; |
|
709 |
+ |
|
710 |
+@@ -1048,12 +871,12 @@ |
|
711 |
+ { |
|
712 |
+ SSLModConfigRec *mc = myModConfig(s); |
|
713 |
+ ssl_asn1_t *asn1; |
|
714 |
+- MODSSL_D2I_PrivateKey_CONST unsigned char *ptr; |
|
715 |
++ const unsigned char *ptr; |
|
716 |
+ const char *type = ssl_asn1_keystr(idx); |
|
717 |
+ int pkey_type; |
|
718 |
+ EVP_PKEY *pkey; |
|
719 |
+ |
|
720 |
+-#ifndef OPENSSL_NO_EC |
|
721 |
++#ifdef HAVE_ECC |
|
722 |
+ if (idx == SSL_AIDX_ECC) |
|
723 |
+ pkey_type = EVP_PKEY_EC; |
|
724 |
+ else |
|
725 |
+@@ -1157,30 +980,34 @@ |
|
726 |
+ modssl_ctx_t *mctx) |
|
727 |
+ { |
|
728 |
+ const char *rsa_id, *dsa_id; |
|
729 |
+-#ifndef OPENSSL_NO_EC |
|
730 |
++#ifdef HAVE_ECC |
|
731 |
+ const char *ecc_id; |
|
732 |
++ EC_GROUP *ecparams; |
|
733 |
++ int nid; |
|
734 |
++ EC_KEY *eckey; |
|
735 |
+ #endif |
|
736 |
+ const char *vhost_id = mctx->sc->vhost_id; |
|
737 |
+ int i; |
|
738 |
+ int have_rsa, have_dsa; |
|
739 |
+-#ifndef OPENSSL_NO_EC |
|
740 |
++ DH *dhparams; |
|
741 |
++#ifdef HAVE_ECC |
|
742 |
+ int have_ecc; |
|
743 |
+ #endif |
|
744 |
+ |
|
745 |
+ rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA); |
|
746 |
+ dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA); |
|
747 |
+-#ifndef OPENSSL_NO_EC |
|
748 |
++#ifdef HAVE_ECC |
|
749 |
+ ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); |
|
750 |
+ #endif |
|
751 |
+ |
|
752 |
+ have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); |
|
753 |
+ have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); |
|
754 |
+-#ifndef OPENSSL_NO_EC |
|
755 |
++#ifdef HAVE_ECC |
|
756 |
+ have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); |
|
757 |
+ #endif |
|
758 |
+ |
|
759 |
+ if (!(have_rsa || have_dsa |
|
760 |
+-#ifndef OPENSSL_NO_EC |
|
761 |
++#ifdef HAVE_ECC |
|
762 |
+ || have_ecc |
|
763 |
+ #endif |
|
764 |
+ )) { |
|
765 |
+@@ -1196,12 +1023,12 @@ |
|
766 |
+ |
|
767 |
+ have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA); |
|
768 |
+ have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA); |
|
769 |
+-#ifndef OPENSSL_NO_EC |
|
770 |
++#ifdef HAVE_ECC |
|
771 |
+ have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC); |
|
772 |
+ #endif |
|
773 |
+ |
|
774 |
+ if (!(have_rsa || have_dsa |
|
775 |
+-#ifndef OPENSSL_NO_EC |
|
776 |
++#ifdef HAVE_ECC |
|
777 |
+ || have_ecc |
|
778 |
+ #endif |
|
779 |
+ )) { |
|
780 |
+@@ -1209,6 +1036,40 @@ |
|
781 |
+ "Oops, no " KEYTYPES " server private key found?!"); |
|
782 |
+ ssl_die(s); |
|
783 |
+ } |
|
784 |
++ |
|
785 |
++ /* |
|
786 |
++ * Try to read DH parameters from the (first) SSLCertificateFile |
|
787 |
++ */ |
|
788 |
++ if ((mctx->pks->cert_files[0] != NULL) && |
|
789 |
++ (dhparams = ssl_dh_GetParamFromFile(mctx->pks->cert_files[0]))) { |
|
790 |
++ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); |
|
791 |
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) |
|
792 |
++ "Custom DH parameters (%d bits) for %s loaded from %s", |
|
793 |
++ BN_num_bits(dhparams->p), vhost_id, |
|
794 |
++ mctx->pks->cert_files[0]); |
|
795 |
++ } |
|
796 |
++ |
|
797 |
++#ifdef HAVE_ECC |
|
798 |
++ /* |
|
799 |
++ * Similarly, try to read the ECDH curve name from SSLCertificateFile... |
|
800 |
++ */ |
|
801 |
++ if ((mctx->pks->cert_files[0] != NULL) && |
|
802 |
++ (ecparams = ssl_ec_GetParamFromFile(mctx->pks->cert_files[0])) && |
|
803 |
++ (nid = EC_GROUP_get_curve_name(ecparams)) && |
|
804 |
++ (eckey = EC_KEY_new_by_curve_name(nid))) { |
|
805 |
++ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey); |
|
806 |
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541) |
|
807 |
++ "ECDH curve %s for %s specified in %s", |
|
808 |
++ OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]); |
|
809 |
++ } |
|
810 |
++ /* |
|
811 |
++ * ...otherwise, configure NIST P-256 (required to enable ECDHE) |
|
812 |
++ */ |
|
813 |
++ else { |
|
814 |
++ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, |
|
815 |
++ EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); |
|
816 |
++ } |
|
817 |
++#endif |
|
818 |
+ } |
|
819 |
+ |
|
820 |
+ #ifdef HAVE_TLS_SESSION_TICKETS |
|
821 |
+@@ -1516,7 +1377,7 @@ |
|
822 |
+ klen = strlen(key); |
|
823 |
+ |
|
824 |
+ if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { |
|
825 |
+-#ifdef OPENSSL_NO_TLSEXT |
|
826 |
++#ifndef HAVE_TLSEXT |
|
827 |
+ int level = APLOG_WARNING; |
|
828 |
+ const char *problem = "conflict"; |
|
829 |
+ #else |
|
830 |
+@@ -1540,7 +1401,7 @@ |
|
831 |
+ } |
|
832 |
+ |
|
833 |
+ if (conflict) { |
|
834 |
+-#ifdef OPENSSL_NO_TLSEXT |
|
835 |
++#ifndef HAVE_TLSEXT |
|
836 |
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) |
|
837 |
+ "Init: You should not use name-based " |
|
838 |
+ "virtual hosts in conjunction with SSL!!"); |
|
839 |
+@@ -1689,7 +1550,7 @@ |
|
840 |
+ { |
|
841 |
+ MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx); |
|
842 |
+ |
|
843 |
+-#ifndef OPENSSL_NO_SRP |
|
844 |
++#ifdef HAVE_SRP |
|
845 |
+ if (mctx->srp_vbase != NULL) { |
|
846 |
+ SRP_VBASE_free(mctx->srp_vbase); |
|
847 |
+ mctx->srp_vbase = NULL; |
|
848 |
+@@ -1745,11 +1606,6 @@ |
|
849 |
+ ssl_scache_kill(base_server); |
|
850 |
+ |
|
851 |
+ /* |
|
852 |
+- * Destroy the temporary keys and params |
|
853 |
+- */ |
|
854 |
+- ssl_tmp_keys_free(base_server); |
|
855 |
+- |
|
856 |
+- /* |
|
857 |
+ * Free the non-pool allocated structures |
|
858 |
+ * in the per-server configurations |
|
859 |
+ */ |
|
860 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_io.c httpd-2.4.6/modules/ssl/ssl_engine_io.c |
|
861 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_io.c 2013-10-01 12:20:45.775812088 +0200 |
|
862 |
++++ httpd-2.4.6/modules/ssl/ssl_engine_io.c 2013-10-01 12:20:50.991746880 +0200 |
|
863 |
+@@ -1048,7 +1048,7 @@ |
|
864 |
+ |
|
865 |
+ server = sslconn->server; |
|
866 |
+ if (sslconn->is_proxy) { |
|
867 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
868 |
++#ifdef HAVE_TLSEXT |
|
869 |
+ apr_ipsubnet_t *ip; |
|
870 |
+ #endif |
|
871 |
+ const char *hostname_note = apr_table_get(c->notes, |
|
872 |
+@@ -1056,7 +1056,7 @@ |
|
873 |
+ BOOL proxy_ssl_check_peer_ok = TRUE; |
|
874 |
+ sc = mySrvConfig(server); |
|
875 |
+ |
|
876 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
877 |
++#ifdef HAVE_TLSEXT |
|
878 |
+ /* |
|
879 |
+ * Enable SNI for backend requests. Make sure we don't do it for |
|
880 |
+ * pure SSLv3 connections, and also prevent IP addresses |
|
881 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_kernel.c httpd-2.4.6/modules/ssl/ssl_engine_kernel.c |
|
882 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_kernel.c 2013-10-01 12:20:45.776812076 +0200 |
|
883 |
++++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c 2013-10-01 12:20:50.992746868 +0200 |
|
884 |
+@@ -32,7 +32,7 @@ |
|
885 |
+ #include "util_md5.h" |
|
886 |
+ |
|
887 |
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); |
|
888 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
889 |
++#ifdef HAVE_TLSEXT |
|
890 |
+ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); |
|
891 |
+ #endif |
|
892 |
+ |
|
893 |
+@@ -119,7 +119,7 @@ |
|
894 |
+ SSLSrvConfigRec *sc = mySrvConfig(r->server); |
|
895 |
+ SSLConnRec *sslconn; |
|
896 |
+ const char *upgrade; |
|
897 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
898 |
++#ifdef HAVE_TLSEXT |
|
899 |
+ const char *servername; |
|
900 |
+ #endif |
|
901 |
+ SSL *ssl; |
|
902 |
+@@ -162,7 +162,7 @@ |
|
903 |
+ if (!ssl) { |
|
904 |
+ return DECLINED; |
|
905 |
+ } |
|
906 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
907 |
++#ifdef HAVE_TLSEXT |
|
908 |
+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { |
|
909 |
+ char *host, *scope_id; |
|
910 |
+ apr_port_t port; |
|
911 |
+@@ -329,7 +329,7 @@ |
|
912 |
+ return DECLINED; |
|
913 |
+ } |
|
914 |
+ |
|
915 |
+-#ifndef OPENSSL_NO_SRP |
|
916 |
++#ifdef HAVE_SRP |
|
917 |
+ /* |
|
918 |
+ * Support for per-directory reconfigured SSL connection parameters |
|
919 |
+ * |
|
920 |
+@@ -1101,7 +1101,7 @@ |
|
921 |
+ "SSL_SERVER_A_SIG", |
|
922 |
+ "SSL_SESSION_ID", |
|
923 |
+ "SSL_SESSION_RESUMED", |
|
924 |
+-#ifndef OPENSSL_NO_SRP |
|
925 |
++#ifdef HAVE_SRP |
|
926 |
+ "SSL_SRP_USER", |
|
927 |
+ "SSL_SRP_USERINFO", |
|
928 |
+ #endif |
|
929 |
+@@ -1115,7 +1115,7 @@ |
|
930 |
+ SSLDirConfigRec *dc = myDirConfig(r); |
|
931 |
+ apr_table_t *env = r->subprocess_env; |
|
932 |
+ char *var, *val = ""; |
|
933 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
934 |
++#ifdef HAVE_TLSEXT |
|
935 |
+ const char *servername; |
|
936 |
+ #endif |
|
937 |
+ STACK_OF(X509) *peer_certs; |
|
938 |
+@@ -1144,7 +1144,7 @@ |
|
939 |
+ /* the always present HTTPS (=HTTP over SSL) flag! */ |
|
940 |
+ apr_table_setn(env, "HTTPS", "on"); |
|
941 |
+ |
|
942 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
943 |
++#ifdef HAVE_TLSEXT |
|
944 |
+ /* add content of SNI TLS extension (if supplied with ClientHello) */ |
|
945 |
+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { |
|
946 |
+ apr_table_set(env, "SSL_TLS_SNI", servername); |
|
947 |
+@@ -1287,117 +1287,70 @@ |
|
948 |
+ */ |
|
949 |
+ |
|
950 |
+ /* |
|
951 |
+- * Handle out temporary RSA private keys on demand |
|
952 |
+- * |
|
953 |
+- * The background of this as the TLSv1 standard explains it: |
|
954 |
+- * |
|
955 |
+- * | D.1. Temporary RSA keys |
|
956 |
+- * | |
|
957 |
+- * | US Export restrictions limit RSA keys used for encryption to 512 |
|
958 |
+- * | bits, but do not place any limit on lengths of RSA keys used for |
|
959 |
+- * | signing operations. Certificates often need to be larger than 512 |
|
960 |
+- * | bits, since 512-bit RSA keys are not secure enough for high-value |
|
961 |
+- * | transactions or for applications requiring long-term security. Some |
|
962 |
+- * | certificates are also designated signing-only, in which case they |
|
963 |
+- * | cannot be used for key exchange. |
|
964 |
+- * | |
|
965 |
+- * | When the public key in the certificate cannot be used for encryption, |
|
966 |
+- * | the server signs a temporary RSA key, which is then exchanged. In |
|
967 |
+- * | exportable applications, the temporary RSA key should be the maximum |
|
968 |
+- * | allowable length (i.e., 512 bits). Because 512-bit RSA keys are |
|
969 |
+- * | relatively insecure, they should be changed often. For typical |
|
970 |
+- * | electronic commerce applications, it is suggested that keys be |
|
971 |
+- * | changed daily or every 500 transactions, and more often if possible. |
|
972 |
+- * | Note that while it is acceptable to use the same temporary key for |
|
973 |
+- * | multiple transactions, it must be signed each time it is used. |
|
974 |
+- * | |
|
975 |
+- * | RSA key generation is a time-consuming process. In many cases, a |
|
976 |
+- * | low-priority process can be assigned the task of key generation. |
|
977 |
+- * | Whenever a new key is completed, the existing temporary key can be |
|
978 |
+- * | replaced with the new one. |
|
979 |
+- * |
|
980 |
+- * XXX: base on comment above, if thread support is enabled, |
|
981 |
+- * we should spawn a low-priority thread to generate new keys |
|
982 |
+- * on the fly. |
|
983 |
+- * |
|
984 |
+- * So we generated 512 and 1024 bit temporary keys on startup |
|
985 |
+- * which we now just hand out on demand.... |
|
986 |
++ * Grab well-defined DH parameters from OpenSSL, see <openssl/bn.h> |
|
987 |
++ * (get_rfc*) for all available primes. |
|
988 |
+ */ |
|
989 |
+- |
|
990 |
+-RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen) |
|
991 |
+-{ |
|
992 |
+- conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); |
|
993 |
+- SSLModConfigRec *mc = myModConfigFromConn(c); |
|
994 |
+- int idx; |
|
995 |
+- |
|
996 |
+- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, |
|
997 |
+- "handing out temporary %d bit RSA key", keylen); |
|
998 |
+- |
|
999 |
+- /* doesn't matter if export flag is on, |
|
1000 |
+- * we won't be asked for keylen > 512 in that case. |
|
1001 |
+- * if we are asked for a keylen > 1024, it is too expensive |
|
1002 |
+- * to generate on the fly. |
|
1003 |
+- * XXX: any reason not to generate 2048 bit keys at startup? |
|
1004 |
+- */ |
|
1005 |
+- |
|
1006 |
+- switch (keylen) { |
|
1007 |
+- case 512: |
|
1008 |
+- idx = SSL_TMP_KEY_RSA_512; |
|
1009 |
+- break; |
|
1010 |
+- |
|
1011 |
+- case 1024: |
|
1012 |
+- default: |
|
1013 |
+- idx = SSL_TMP_KEY_RSA_1024; |
|
1014 |
+- } |
|
1015 |
+- |
|
1016 |
+- return (RSA *)mc->pTmpKeys[idx]; |
|
1017 |
++#define make_get_dh(rfc,size,gen) \ |
|
1018 |
++static DH *get_dh##size(void) \ |
|
1019 |
++{ \ |
|
1020 |
++ DH *dh; \ |
|
1021 |
++ if (!(dh = DH_new())) { \ |
|
1022 |
++ return NULL; \ |
|
1023 |
++ } \ |
|
1024 |
++ dh->p = get_##rfc##_prime_##size(NULL); \ |
|
1025 |
++ BN_dec2bn(&dh->g, #gen); \ |
|
1026 |
++ if (!dh->p || !dh->g) { \ |
|
1027 |
++ DH_free(dh); \ |
|
1028 |
++ return NULL; \ |
|
1029 |
++ } \ |
|
1030 |
++ return dh; \ |
|
1031 |
+ } |
|
1032 |
+ |
|
1033 |
+ /* |
|
1034 |
+- * Hand out the already generated DH parameters... |
|
1035 |
++ * Prepare DH parameters from 1024 to 4096 bits, in 1024-bit increments |
|
1036 |
++ */ |
|
1037 |
++make_get_dh(rfc2409, 1024, 2) |
|
1038 |
++make_get_dh(rfc3526, 2048, 2) |
|
1039 |
++make_get_dh(rfc3526, 3072, 2) |
|
1040 |
++make_get_dh(rfc3526, 4096, 2) |
|
1041 |
++ |
|
1042 |
++/* |
|
1043 |
++ * Hand out standard DH parameters, based on the authentication strength |
|
1044 |
+ */ |
|
1045 |
+ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) |
|
1046 |
+ { |
|
1047 |
+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); |
|
1048 |
+- SSLModConfigRec *mc = myModConfigFromConn(c); |
|
1049 |
+- int idx; |
|
1050 |
+- |
|
1051 |
+- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, |
|
1052 |
+- "handing out temporary %d bit DH key", keylen); |
|
1053 |
++ EVP_PKEY *pkey = SSL_get_privatekey(ssl); |
|
1054 |
++ int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; |
|
1055 |
+ |
|
1056 |
+- switch (keylen) { |
|
1057 |
+- case 512: |
|
1058 |
+- idx = SSL_TMP_KEY_DH_512; |
|
1059 |
+- break; |
|
1060 |
+- |
|
1061 |
+- case 1024: |
|
1062 |
+- default: |
|
1063 |
+- idx = SSL_TMP_KEY_DH_1024; |
|
1064 |
++ /* |
|
1065 |
++ * OpenSSL will call us with either keylen == 512 or keylen == 1024 |
|
1066 |
++ * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h). |
|
1067 |
++ * Adjust the DH parameter length according to the size of the |
|
1068 |
++ * RSA/DSA private key used for the current connection, and always |
|
1069 |
++ * use at least 1024-bit parameters. |
|
1070 |
++ * Note: This may cause interoperability issues with implementations |
|
1071 |
++ * which limit their DH support to 1024 bit - e.g. Java 7 and earlier. |
|
1072 |
++ * In this case, SSLCertificateFile can be used to specify fixed |
|
1073 |
++ * 1024-bit DH parameters (with the effect that OpenSSL skips this |
|
1074 |
++ * callback). |
|
1075 |
++ */ |
|
1076 |
++ if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) { |
|
1077 |
++ keylen = EVP_PKEY_bits(pkey); |
|
1078 |
+ } |
|
1079 |
+ |
|
1080 |
+- return (DH *)mc->pTmpKeys[idx]; |
|
1081 |
+-} |
|
1082 |
+- |
|
1083 |
+-#ifndef OPENSSL_NO_EC |
|
1084 |
+-EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen) |
|
1085 |
+-{ |
|
1086 |
+- conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); |
|
1087 |
+- SSLModConfigRec *mc = myModConfigFromConn(c); |
|
1088 |
+- int idx; |
|
1089 |
+- |
|
1090 |
+- /* XXX Uses 256-bit key for now. TODO: support other sizes. */ |
|
1091 |
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, |
|
1092 |
+- "handing out temporary 256 bit ECC key"); |
|
1093 |
++ "handing out built-in DH parameters for %d-bit authenticated connection", keylen); |
|
1094 |
+ |
|
1095 |
+- switch (keylen) { |
|
1096 |
+- case 256: |
|
1097 |
+- default: |
|
1098 |
+- idx = SSL_TMP_KEY_EC_256; |
|
1099 |
+- } |
|
1100 |
+- |
|
1101 |
+- return (EC_KEY *)mc->pTmpKeys[idx]; |
|
1102 |
++ if (keylen >= 4096) |
|
1103 |
++ return get_dh4096(); |
|
1104 |
++ else if (keylen >= 3072) |
|
1105 |
++ return get_dh3072(); |
|
1106 |
++ else if (keylen >= 2048) |
|
1107 |
++ return get_dh2048(); |
|
1108 |
++ else |
|
1109 |
++ return get_dh1024(); |
|
1110 |
+ } |
|
1111 |
+-#endif |
|
1112 |
+ |
|
1113 |
+ /* |
|
1114 |
+ * This OpenSSL callback function is called when OpenSSL |
|
1115 |
+@@ -1938,7 +1891,7 @@ |
|
1116 |
+ } |
|
1117 |
+ } |
|
1118 |
+ |
|
1119 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
1120 |
++#ifdef HAVE_TLSEXT |
|
1121 |
+ /* |
|
1122 |
+ * This callback function is executed when OpenSSL encounters an extended |
|
1123 |
+ * client hello with a server name indication extension ("SNI", cf. RFC 4366). |
|
1124 |
+@@ -2089,7 +2042,7 @@ |
|
1125 |
+ |
|
1126 |
+ return 0; |
|
1127 |
+ } |
|
1128 |
+-#endif /* OPENSSL_NO_TLSEXT */ |
|
1129 |
++#endif /* HAVE_TLSEXT */ |
|
1130 |
+ |
|
1131 |
+ #ifdef HAVE_TLS_SESSION_TICKETS |
|
1132 |
+ /* |
|
1133 |
+@@ -2161,7 +2114,7 @@ |
|
1134 |
+ } |
|
1135 |
+ #endif /* HAVE_TLS_SESSION_TICKETS */ |
|
1136 |
+ |
|
1137 |
+-#ifndef OPENSSL_NO_SRP |
|
1138 |
++#ifdef HAVE_SRP |
|
1139 |
+ |
|
1140 |
+ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) |
|
1141 |
+ { |
|
1142 |
+@@ -2185,4 +2138,4 @@ |
|
1143 |
+ return SSL_ERROR_NONE; |
|
1144 |
+ } |
|
1145 |
+ |
|
1146 |
+-#endif /* OPENSSL_NO_SRP */ |
|
1147 |
++#endif /* HAVE_SRP */ |
|
1148 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_pphrase.c httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c |
|
1149 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_pphrase.c 2013-10-01 12:20:45.777812063 +0200 |
|
1150 |
++++ httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c 2013-10-01 12:20:50.992746868 +0200 |
|
1151 |
+@@ -708,7 +708,7 @@ |
|
1152 |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966) |
|
1153 |
+ "Init: Failed to create pass phrase pipe '%s'", |
|
1154 |
+ sc->server->pphrase_dialog_path); |
|
1155 |
+- PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); |
|
1156 |
++ PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); |
|
1157 |
+ memset(buf, 0, (unsigned int)bufsize); |
|
1158 |
+ return (-1); |
|
1159 |
+ } |
|
1160 |
+@@ -718,7 +718,7 @@ |
|
1161 |
+ } |
|
1162 |
+ else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */ |
|
1163 |
+ #ifdef WIN32 |
|
1164 |
+- PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); |
|
1165 |
++ PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); |
|
1166 |
+ memset(buf, 0, (unsigned int)bufsize); |
|
1167 |
+ return (-1); |
|
1168 |
+ #else |
|
1169 |
+@@ -769,7 +769,7 @@ |
|
1170 |
+ i = EVP_read_pw_string(buf, bufsize, "", FALSE); |
|
1171 |
+ } |
|
1172 |
+ if (i != 0) { |
|
1173 |
+- PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); |
|
1174 |
++ PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); |
|
1175 |
+ memset(buf, 0, (unsigned int)bufsize); |
|
1176 |
+ return (-1); |
|
1177 |
+ } |
|
1178 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_vars.c httpd-2.4.6/modules/ssl/ssl_engine_vars.c |
|
1179 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_vars.c 2013-10-01 12:20:45.775812088 +0200 |
|
1180 |
++++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c 2013-10-01 12:20:50.992746868 +0200 |
|
1181 |
+@@ -382,7 +382,7 @@ |
|
1182 |
+ else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { |
|
1183 |
+ result = ssl_var_lookup_ssl_compress_meth(ssl); |
|
1184 |
+ } |
|
1185 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
1186 |
++#ifdef HAVE_TLSEXT |
|
1187 |
+ else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { |
|
1188 |
+ result = apr_pstrdup(p, SSL_get_servername(ssl, |
|
1189 |
+ TLSEXT_NAMETYPE_host_name)); |
|
1190 |
+@@ -395,7 +395,7 @@ |
|
1191 |
+ #endif |
|
1192 |
+ result = apr_pstrdup(p, flag ? "true" : "false"); |
|
1193 |
+ } |
|
1194 |
+-#ifndef OPENSSL_NO_SRP |
|
1195 |
++#ifdef HAVE_SRP |
|
1196 |
+ else if (ssl != NULL && strcEQ(var, "SRP_USER")) { |
|
1197 |
+ if ((result = SSL_get_srp_username(ssl)) != NULL) { |
|
1198 |
+ result = apr_pstrdup(p, result); |
|
1199 |
+@@ -879,7 +879,7 @@ |
|
1200 |
+ * success and writes the string to the given bio. */ |
|
1201 |
+ static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) |
|
1202 |
+ { |
|
1203 |
+- MODSSL_D2I_ASN1_type_bytes_CONST unsigned char *pp = str->data; |
|
1204 |
++ const unsigned char *pp = str->data; |
|
1205 |
+ ASN1_STRING *ret = ASN1_STRING_new(); |
|
1206 |
+ int rv = 0; |
|
1207 |
+ |
|
1208 |
+@@ -975,7 +975,7 @@ |
|
1209 |
+ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) |
|
1210 |
+ { |
|
1211 |
+ char *result = "NULL"; |
|
1212 |
+-#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP) |
|
1213 |
++#ifndef OPENSSL_NO_COMP |
|
1214 |
+ SSL_SESSION *pSession = SSL_get_session(ssl); |
|
1215 |
+ |
|
1216 |
+ if (pSession) { |
|
1217 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_private.h httpd-2.4.6/modules/ssl/ssl_private.h |
|
1218 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_private.h 2013-10-01 12:20:45.774812101 +0200 |
|
1219 |
++++ httpd-2.4.6/modules/ssl/ssl_private.h 2013-10-01 12:20:50.993746855 +0200 |
|
1220 |
+@@ -105,65 +105,55 @@ |
|
1221 |
+ #include <openssl/engine.h> |
|
1222 |
+ #endif |
|
1223 |
+ |
|
1224 |
+-#if (OPENSSL_VERSION_NUMBER < 0x0090700f) |
|
1225 |
+-#error mod_ssl requires OpenSSL 0.9.7 or later |
|
1226 |
+-#endif |
|
1227 |
+- |
|
1228 |
+-/* ...shifting sands of OpenSSL... */ |
|
1229 |
+-#if (OPENSSL_VERSION_NUMBER >= 0x0090707f) |
|
1230 |
+-#define MODSSL_D2I_SSL_SESSION_CONST const |
|
1231 |
+-#else |
|
1232 |
+-#define MODSSL_D2I_SSL_SESSION_CONST |
|
1233 |
+-#endif |
|
1234 |
+- |
|
1235 |
+-#if (OPENSSL_VERSION_NUMBER >= 0x00908000) |
|
1236 |
+-#define HAVE_GENERATE_EX |
|
1237 |
+-#define MODSSL_D2I_ASN1_type_bytes_CONST const |
|
1238 |
+-#define MODSSL_D2I_PrivateKey_CONST const |
|
1239 |
+-#define MODSSL_D2I_X509_CONST const |
|
1240 |
+-#else |
|
1241 |
+-#define MODSSL_D2I_ASN1_type_bytes_CONST |
|
1242 |
+-#define MODSSL_D2I_PrivateKey_CONST |
|
1243 |
+-#define MODSSL_D2I_X509_CONST |
|
1244 |
+-#endif |
|
1245 |
+- |
|
1246 |
+-#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \ |
|
1247 |
+- && !defined(OPENSSL_NO_TLSEXT) |
|
1248 |
+-#define HAVE_OCSP_STAPLING |
|
1249 |
+-#if (OPENSSL_VERSION_NUMBER < 0x10000000) |
|
1250 |
+-#define sk_OPENSSL_STRING_pop sk_pop |
|
1251 |
+-#endif |
|
1252 |
+-#endif |
|
1253 |
+- |
|
1254 |
+-#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS) |
|
1255 |
+-#define HAVE_FIPS |
|
1256 |
++#if (OPENSSL_VERSION_NUMBER < 0x0090801f) |
|
1257 |
++#error mod_ssl requires OpenSSL 0.9.8a or later |
|
1258 |
+ #endif |
|
1259 |
+ |
|
1260 |
++/** |
|
1261 |
++ * ...shifting sands of OpenSSL... |
|
1262 |
++ * Note: when adding support for new OpenSSL features, avoid explicit |
|
1263 |
++ * version number checks whenever possible, and use "feature-based" |
|
1264 |
++ * detection instead (check for definitions of constants or functions) |
|
1265 |
++ */ |
|
1266 |
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000) |
|
1267 |
+ #define MODSSL_SSL_CIPHER_CONST const |
|
1268 |
+ #define MODSSL_SSL_METHOD_CONST const |
|
1269 |
+ #else |
|
1270 |
+ #define MODSSL_SSL_CIPHER_CONST |
|
1271 |
+ #define MODSSL_SSL_METHOD_CONST |
|
1272 |
+-/* ECC support came along in OpenSSL 1.0.0 */ |
|
1273 |
+-#define OPENSSL_NO_EC |
|
1274 |
+ #endif |
|
1275 |
+ |
|
1276 |
+-#ifndef PEM_F_DEF_CALLBACK |
|
1277 |
+-#ifdef PEM_F_PEM_DEF_CALLBACK |
|
1278 |
+-/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ |
|
1279 |
+-#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK |
|
1280 |
++#if defined(OPENSSL_FIPS) |
|
1281 |
++#define HAVE_FIPS |
|
1282 |
+ #endif |
|
1283 |
++ |
|
1284 |
++#if defined(SSL_OP_NO_TLSv1_2) |
|
1285 |
++#define HAVE_TLSV1_X |
|
1286 |
+ #endif |
|
1287 |
+ |
|
1288 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
1289 |
+-#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME |
|
1290 |
+-#define OPENSSL_NO_TLSEXT |
|
1291 |
++/** |
|
1292 |
++ * The following features all depend on TLS extension support. |
|
1293 |
++ * Within this block, check again for features (not version numbers). |
|
1294 |
++ */ |
|
1295 |
++#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) |
|
1296 |
++ |
|
1297 |
++#define HAVE_TLSEXT |
|
1298 |
++ |
|
1299 |
++/* ECC: make sure we have at least 1.0.0 */ |
|
1300 |
++#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) |
|
1301 |
++#define HAVE_ECC |
|
1302 |
++#endif |
|
1303 |
++ |
|
1304 |
++/* OCSP stapling */ |
|
1305 |
++#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) |
|
1306 |
++#define HAVE_OCSP_STAPLING |
|
1307 |
++#ifndef sk_OPENSSL_STRING_pop |
|
1308 |
++#define sk_OPENSSL_STRING_pop sk_pop |
|
1309 |
+ #endif |
|
1310 |
+ #endif |
|
1311 |
+ |
|
1312 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
1313 |
+-#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
|
1314 |
++/* TLS session tickets */ |
|
1315 |
++#if defined(SSL_CTX_set_tlsext_ticket_key_cb) |
|
1316 |
+ #define HAVE_TLS_SESSION_TICKETS |
|
1317 |
+ #define TLSEXT_TICKET_KEY_LEN 48 |
|
1318 |
+ #ifndef tlsext_tick_md |
|
1319 |
+@@ -174,26 +164,15 @@ |
|
1320 |
+ #endif |
|
1321 |
+ #endif |
|
1322 |
+ #endif |
|
1323 |
+-#endif |
|
1324 |
+ |
|
1325 |
+-#ifdef SSL_OP_NO_TLSv1_2 |
|
1326 |
+-#define HAVE_TLSV1_X |
|
1327 |
+-#endif |
|
1328 |
+- |
|
1329 |
+-#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ |
|
1330 |
+- && OPENSSL_VERSION_NUMBER < 0x00908000L |
|
1331 |
+-#define OPENSSL_NO_COMP |
|
1332 |
+-#endif |
|
1333 |
+- |
|
1334 |
+-/* SRP support came in OpenSSL 1.0.1 */ |
|
1335 |
+-#ifndef OPENSSL_NO_SRP |
|
1336 |
+-#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB |
|
1337 |
++/* Secure Remote Password */ |
|
1338 |
++#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB) |
|
1339 |
++#define HAVE_SRP |
|
1340 |
+ #include <openssl/srp.h> |
|
1341 |
+-#else |
|
1342 |
+-#define OPENSSL_NO_SRP |
|
1343 |
+-#endif |
|
1344 |
+ #endif |
|
1345 |
+ |
|
1346 |
++#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ |
|
1347 |
++ |
|
1348 |
+ /* mod_ssl headers */ |
|
1349 |
+ #include "ssl_util_ssl.h" |
|
1350 |
+ |
|
1351 |
+@@ -287,7 +266,7 @@ |
|
1352 |
+ #define SSL_ALGO_UNKNOWN (0) |
|
1353 |
+ #define SSL_ALGO_RSA (1<<0) |
|
1354 |
+ #define SSL_ALGO_DSA (1<<1) |
|
1355 |
+-#ifndef OPENSSL_NO_EC |
|
1356 |
++#ifdef HAVE_ECC |
|
1357 |
+ #define SSL_ALGO_ECC (1<<2) |
|
1358 |
+ #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) |
|
1359 |
+ #else |
|
1360 |
+@@ -296,29 +275,13 @@ |
|
1361 |
+ |
|
1362 |
+ #define SSL_AIDX_RSA (0) |
|
1363 |
+ #define SSL_AIDX_DSA (1) |
|
1364 |
+-#ifndef OPENSSL_NO_EC |
|
1365 |
++#ifdef HAVE_ECC |
|
1366 |
+ #define SSL_AIDX_ECC (2) |
|
1367 |
+ #define SSL_AIDX_MAX (3) |
|
1368 |
+ #else |
|
1369 |
+ #define SSL_AIDX_MAX (2) |
|
1370 |
+ #endif |
|
1371 |
+ |
|
1372 |
+- |
|
1373 |
+-/** |
|
1374 |
+- * Define IDs for the temporary RSA keys and DH params |
|
1375 |
+- */ |
|
1376 |
+- |
|
1377 |
+-#define SSL_TMP_KEY_RSA_512 (0) |
|
1378 |
+-#define SSL_TMP_KEY_RSA_1024 (1) |
|
1379 |
+-#define SSL_TMP_KEY_DH_512 (2) |
|
1380 |
+-#define SSL_TMP_KEY_DH_1024 (3) |
|
1381 |
+-#ifndef OPENSSL_NO_EC |
|
1382 |
+-#define SSL_TMP_KEY_EC_256 (4) |
|
1383 |
+-#define SSL_TMP_KEY_MAX (5) |
|
1384 |
+-#else |
|
1385 |
+-#define SSL_TMP_KEY_MAX (4) |
|
1386 |
+-#endif |
|
1387 |
+- |
|
1388 |
+ /** |
|
1389 |
+ * Define the SSL options |
|
1390 |
+ */ |
|
1391 |
+@@ -534,7 +497,6 @@ |
|
1392 |
+ apr_global_mutex_t *pMutex; |
|
1393 |
+ apr_array_header_t *aRandSeed; |
|
1394 |
+ apr_hash_t *tVHostKeys; |
|
1395 |
+- void *pTmpKeys[SSL_TMP_KEY_MAX]; |
|
1396 |
+ |
|
1397 |
+ /* Two hash tables of pointers to ssl_asn1_t structures. The |
|
1398 |
+ * structures are used to store certificates and private keys |
|
1399 |
+@@ -656,7 +618,7 @@ |
|
1400 |
+ const char *stapling_force_url; |
|
1401 |
+ #endif |
|
1402 |
+ |
|
1403 |
+-#ifndef OPENSSL_NO_SRP |
|
1404 |
++#ifdef HAVE_SRP |
|
1405 |
+ char *srp_vfile; |
|
1406 |
+ char *srp_unknown_user_seed; |
|
1407 |
+ SRP_VBASE *srp_vbase; |
|
1408 |
+@@ -688,7 +650,7 @@ |
|
1409 |
+ ssl_enabled_t proxy_ssl_check_peer_expire; |
|
1410 |
+ ssl_enabled_t proxy_ssl_check_peer_cn; |
|
1411 |
+ ssl_enabled_t proxy_ssl_check_peer_name; |
|
1412 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
1413 |
++#ifdef HAVE_TLSEXT |
|
1414 |
+ ssl_enabled_t strict_sni_vhost_check; |
|
1415 |
+ #endif |
|
1416 |
+ #ifdef HAVE_FIPS |
|
1417 |
+@@ -792,7 +754,7 @@ |
|
1418 |
+ const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); |
|
1419 |
+ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); |
|
1420 |
+ |
|
1421 |
+-#ifndef OPENSSL_NO_SRP |
|
1422 |
++#ifdef HAVE_SRP |
|
1423 |
+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); |
|
1424 |
+ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); |
|
1425 |
+ #endif |
|
1426 |
+@@ -823,11 +785,7 @@ |
|
1427 |
+ extern const authz_provider ssl_authz_provider_verify_client; |
|
1428 |
+ |
|
1429 |
+ /** OpenSSL callbacks */ |
|
1430 |
+-RSA *ssl_callback_TmpRSA(SSL *, int, int); |
|
1431 |
+ DH *ssl_callback_TmpDH(SSL *, int, int); |
|
1432 |
+-#ifndef OPENSSL_NO_EC |
|
1433 |
+-EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); |
|
1434 |
+-#endif |
|
1435 |
+ int ssl_callback_SSLVerify(int, X509_STORE_CTX *); |
|
1436 |
+ int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); |
|
1437 |
+ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); |
|
1438 |
+@@ -835,7 +793,7 @@ |
|
1439 |
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); |
|
1440 |
+ void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); |
|
1441 |
+ void ssl_callback_Info(const SSL *, int, int); |
|
1442 |
+-#ifndef OPENSSL_NO_TLSEXT |
|
1443 |
++#ifdef HAVE_TLSEXT |
|
1444 |
+ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); |
|
1445 |
+ #endif |
|
1446 |
+ #ifdef HAVE_TLS_SESSION_TICKETS |
|
1447 |
+@@ -873,7 +831,7 @@ |
|
1448 |
+ void ssl_stapling_ex_init(void); |
|
1449 |
+ int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); |
|
1450 |
+ #endif |
|
1451 |
+-#ifndef OPENSSL_NO_SRP |
|
1452 |
++#ifdef HAVE_SRP |
|
1453 |
+ int ssl_callback_SRPServerParams(SSL *, int *, void *); |
|
1454 |
+ #endif |
|
1455 |
+ |
|
1456 |
+@@ -906,8 +864,10 @@ |
|
1457 |
+ void ssl_pphrase_Handle(server_rec *, apr_pool_t *); |
|
1458 |
+ |
|
1459 |
+ /** Diffie-Hellman Parameter Support */ |
|
1460 |
+-DH *ssl_dh_GetTmpParam(int); |
|
1461 |
+-DH *ssl_dh_GetParamFromFile(char *); |
|
1462 |
++DH *ssl_dh_GetParamFromFile(const char *); |
|
1463 |
++#ifdef HAVE_ECC |
|
1464 |
++EC_GROUP *ssl_ec_GetParamFromFile(const char *); |
|
1465 |
++#endif |
|
1466 |
+ |
|
1467 |
+ unsigned char *ssl_asn1_table_set(apr_hash_t *table, |
|
1468 |
+ const char *key, |
|
1469 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_scache.c httpd-2.4.6/modules/ssl/ssl_scache.c |
|
1470 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_scache.c 2013-10-01 12:20:45.776812076 +0200 |
|
1471 |
++++ httpd-2.4.6/modules/ssl/ssl_scache.c 2013-10-01 12:20:50.993746855 +0200 |
|
1472 |
+@@ -148,7 +148,7 @@ |
|
1473 |
+ SSLModConfigRec *mc = myModConfig(s); |
|
1474 |
+ unsigned char dest[SSL_SESSION_MAX_DER]; |
|
1475 |
+ unsigned int destlen = SSL_SESSION_MAX_DER; |
|
1476 |
+- MODSSL_D2I_SSL_SESSION_CONST unsigned char *ptr; |
|
1477 |
++ const unsigned char *ptr; |
|
1478 |
+ apr_status_t rv; |
|
1479 |
+ |
|
1480 |
+ if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) { |
|
1481 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_util.c httpd-2.4.6/modules/ssl/ssl_util.c |
|
1482 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_util.c 2013-10-01 12:20:45.775812088 +0200 |
|
1483 |
++++ httpd-2.4.6/modules/ssl/ssl_util.c 2013-10-01 12:20:50.993746855 +0200 |
|
1484 |
+@@ -151,7 +151,7 @@ |
|
1485 |
+ case EVP_PKEY_DSA: |
|
1486 |
+ t = SSL_ALGO_DSA; |
|
1487 |
+ break; |
|
1488 |
+-#ifndef OPENSSL_NO_EC |
|
1489 |
++#ifdef HAVE_ECC |
|
1490 |
+ case EVP_PKEY_EC: |
|
1491 |
+ t = SSL_ALGO_ECC; |
|
1492 |
+ break; |
|
1493 |
+@@ -177,7 +177,7 @@ |
|
1494 |
+ case SSL_ALGO_DSA: |
|
1495 |
+ cp = "DSA"; |
|
1496 |
+ break; |
|
1497 |
+-#ifndef OPENSSL_NO_EC |
|
1498 |
++#ifdef HAVE_ECC |
|
1499 |
+ case SSL_ALGO_ECC: |
|
1500 |
+ cp = "ECC"; |
|
1501 |
+ break; |
|
1502 |
+@@ -253,7 +253,7 @@ |
|
1503 |
+ apr_hash_set(table, key, klen, NULL); |
|
1504 |
+ } |
|
1505 |
+ |
|
1506 |
+-#ifndef OPENSSL_NO_EC |
|
1507 |
++#ifdef HAVE_ECC |
|
1508 |
+ static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"}; |
|
1509 |
+ #else |
|
1510 |
+ static const char *ssl_asn1_key_types[] = {"RSA", "DSA"}; |
|
1511 |
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_util_ssl.c httpd-2.4.6/modules/ssl/ssl_util_ssl.c |
|
1512 |
+--- httpd-2.4.6-orig/modules/ssl/ssl_util_ssl.c 2013-10-01 12:20:45.777812063 +0200 |
|
1513 |
++++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c 2013-10-01 12:20:50.993746855 +0200 |
|
1514 |
+@@ -483,6 +483,38 @@ |
|
1515 |
+ |
|
1516 |
+ /* _________________________________________________________________ |
|
1517 |
+ ** |
|
1518 |
++** Custom (EC)DH parameter support |
|
1519 |
++** _________________________________________________________________ |
|
1520 |
++*/ |
|
1521 |
++ |
|
1522 |
++DH *ssl_dh_GetParamFromFile(const char *file) |
|
1523 |
++{ |
|
1524 |
++ DH *dh = NULL; |
|
1525 |
++ BIO *bio; |
|
1526 |
++ |
|
1527 |
++ if ((bio = BIO_new_file(file, "r")) == NULL) |
|
1528 |
++ return NULL; |
|
1529 |
++ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
|
1530 |
++ BIO_free(bio); |
|
1531 |
++ return (dh); |
|
1532 |
++} |
|
1533 |
++ |
|
1534 |
++#ifdef HAVE_ECC |
|
1535 |
++EC_GROUP *ssl_ec_GetParamFromFile(const char *file) |
|
1536 |
++{ |
|
1537 |
++ EC_GROUP *group = NULL; |
|
1538 |
++ BIO *bio; |
|
1539 |
++ |
|
1540 |
++ if ((bio = BIO_new_file(file, "r")) == NULL) |
|
1541 |
++ return NULL; |
|
1542 |
++ group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); |
|
1543 |
++ BIO_free(bio); |
|
1544 |
++ return (group); |
|
1545 |
++} |
|
1546 |
++#endif |
|
1547 |
++ |
|
1548 |
++/* _________________________________________________________________ |
|
1549 |
++** |
|
1550 |
+ ** Extra Server Certificate Chain Support |
|
1551 |
+ ** _________________________________________________________________ |
|
1552 |
+ */ |
|
0 | 1553 |