LILiK
/
openwrt-packages-dist


								--- a/modules/ssl/mod_ssl.c

								+++ b/modules/ssl/mod_ssl.c

								@@ -328,6 +328,7 @@ static int modssl_is_prelinked(void)


								 static apr_status_t ssl_cleanup_pre_config(void *data)

								 {

								+#if MODSSL_USE_OPENSSL_PRE_1_1_API

								     /*

								      * Try to kill the internals of the SSL library.

								      */

								@@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data)

								 #if OPENSSL_VERSION_NUMBER >= 0x1000200fL

								 #ifndef OPENSSL_NO_COMP

								     SSL_COMP_free_compression_methods();

								-#endif

								 #endif


								     /* Usually needed per thread, but this parent process is single-threaded */

								-#if MODSSL_USE_OPENSSL_PRE_1_1_API

								 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL

								     ERR_remove_thread_state(NULL);

								 #else

								@@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)

								      *       (when enabled) at this late stage in the game:

								      * CRYPTO_mem_leaks_fp(stderr);

								      */

								+#endif

								     return APR_SUCCESS;

								 }


								@@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,

								 #else

								     OPENSSL_malloc_init();

								 #endif

								+#if MODSSL_USE_OPENSSL_PRE_1_1_API

								     ERR_load_crypto_strings();

								     SSL_load_error_strings();

								     SSL_library_init();

								+    OpenSSL_add_all_algorithms();

								+    OPENSSL_load_builtin_modules();

								+#endif

								 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES

								     ENGINE_load_builtin_engines();

								 #endif

								-    OpenSSL_add_all_algorithms();

								-    OPENSSL_load_builtin_modules();


								     if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {

								         (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",

								--- a/modules/ssl/ssl_engine_init.c

								+++ b/modules/ssl/ssl_engine_init.c

								@@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)


								     return 1;

								 }

								+

								+#define OpenSSL_version_num	SSLeay

								 #endif


								 /*

								@@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,

								     apr_status_t rv;

								     apr_array_header_t *pphrases;


								-    if (SSLeay() < MODSSL_LIBRARY_VERSION) {

								+    if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) {

								         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)

								                      "Init: this version of mod_ssl was compiled against "

								                      "a newer library (%s, version currently loaded is %s)"

								--- a/modules/ssl/ssl_engine_io.c

								+++ b/modules/ssl/ssl_engine_io.c

								@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)

								         if (dc->proxy->ssl_check_peer_expire != FALSE) {

								             if (!cert

								                 || (X509_cmp_current_time(

								-                     X509_get_notBefore(cert)) >= 0)

								+                     X509_get0_notBefore(cert)) >= 0)

								                 || (X509_cmp_current_time(

								-                     X509_get_notAfter(cert)) <= 0)) {

								+                     X509_get0_notAfter(cert)) <= 0)) {

								                 proxy_ssl_check_peer_ok = FALSE;

								                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004)

								                               "SSL Proxy: Peer certificate is expired");

								--- a/modules/ssl/ssl_engine_log.c

								+++ b/modules/ssl/ssl_engine_log.c

								@@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level,

								                 BIO_puts(bio, "(ERROR)");


								             BIO_puts(bio, " / notbefore: ");

								-            ASN1_TIME_print(bio, X509_get_notBefore(cert));

								+            ASN1_TIME_print(bio, X509_get0_notBefore(cert));


								             BIO_puts(bio, " / notafter: ");

								-            ASN1_TIME_print(bio, X509_get_notAfter(cert));

								+            ASN1_TIME_print(bio, X509_get0_notAfter(cert));


								             BIO_puts(bio, "]");


								--- a/modules/ssl/ssl_engine_vars.c

								+++ b/modules/ssl/ssl_engine_vars.c

								@@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,

								         result = ssl_var_lookup_ssl_cert_serial(p, xs);

								     }

								     else if (strcEQ(var, "V_START")) {

								-        result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs));

								+        result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs));

								     }

								     else if (strcEQ(var, "V_END")) {

								-        result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs));

								+        result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs));

								     }

								     else if (strcEQ(var, "V_REMAIN")) {

								-        result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));

								+        result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs));

								         resdup = FALSE;

								     }

								     else if (*var && strcEQ(var+1, "_DN")) {

								--- a/modules/ssl/ssl_private.h

								+++ b/modules/ssl/ssl_private.h

								@@ -92,6 +92,8 @@

								 #include <openssl/x509.h>

								 #include <openssl/pem.h>

								 #include <openssl/crypto.h>

								+#include <openssl/bn.h>

								+#include <openssl/dh.h>

								 #include <openssl/evp.h>

								 #include <openssl/rand.h>

								 #include <openssl/x509v3.h>

								@@ -234,6 +236,10 @@

								 #define BIO_get_shutdown(x)        (x->shutdown)

								 #define BIO_set_shutdown(x,v)      (x->shutdown=v)

								 #define DH_bits(x)                 (BN_num_bits(x->p))

								+#define X509_get0_notBefore        X509_get_notBefore

								+#define X509_get0_notAfter         X509_get_notAfter

								+#define X509_getm_notBefore        X509_get_notBefore

								+#define X509_getm_notAfter         X509_get_notAfter

								 #else

								 void init_bio_methods(void);

								 void free_bio_methods(void);

								--- a/support/ab.c

								+++ b/support/ab.c

								@@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE;

								 #define SSL_CTX_set_max_proto_version(ctx, version) \

								    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)

								 #endif

								+#if OPENSSL_VERSION_NUMBER < 0x10100000L

								+#define X509_get0_notBefore X509_get_notBefore

								+#define X509_get0_notAfter  X509_get_notAfter

								+#endif

								 #endif


								 #include <math.h>

								@@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert)


								     BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1);

								     BIO_printf(bio,"Valid from: ");

								-    ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));

								+    ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert));

								     BIO_printf(bio,"\n");


								     BIO_printf(bio,"Valid to  : ");

								-    ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));

								+    ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert));

								     BIO_printf(bio,"\n");


								     pk = X509_get_pubkey(cert);

								@@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[])

								     CRYPTO_malloc_init();

								 #endif

								 #endif

								+#if OPENSSL_VERSION_NUMBER < 0x10100000L

								     SSL_load_error_strings();

								     SSL_library_init();

								+#endif

								     bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);

								     bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);