[rs-commit] r146 - in /mod_csr/trunk: Makefile.am mod_csr.c openssl_setter_compat.h

rs-commit at redwax.eu rs-commit at redwax.eu
Tue Dec 3 19:25:48 CET 2019 

Author: dirkx at redwax.eu
Date: Tue Dec  3 19:25:47 2019
New Revision: 146

Log:
Introduce a stopgap measure for the missing setter in OpenSSL 1.1.0..1.1.1.

Added:
    mod_csr/trunk/openssl_setter_compat.h   (with props)
Modified:
    mod_csr/trunk/Makefile.am
    mod_csr/trunk/mod_csr.c

Modified: mod_csr/trunk/Makefile.am
==============================================================================
--- mod_csr/trunk/Makefile.am	(original)
+++ mod_csr/trunk/Makefile.am	Tue Dec  3 19:25:47 2019
@@ -1,5 +1,3 @@
-
-
 EXTRA_DIST = mod_csr.c mod_csr.spec
 
 all-local:

Modified: mod_csr/trunk/mod_csr.c
==============================================================================
--- mod_csr/trunk/mod_csr.c	(original)
+++ mod_csr/trunk/mod_csr.c	Tue Dec  3 19:25:47 2019
@@ -46,6 +46,8 @@
 #define DEFAULT_CSR_PARAM_PKCS10 "pkcs10"
 #define DEFAULT_FRESHNESS 2
 #define DEFAULT_FRESHNESS_MAX 3600*24
+
+#include "openssl_setter_compat.h"
 
 module AP_MODULE_DECLARE_DATA csr_module;
 
@@ -897,7 +899,13 @@
     X509_REQ_set_pubkey(creq, pktmp);
 
     /* duplicate the signature algorithm */
+#if OPENSSL_VERSION_NUMBER  >= 0x010100000L
+    const X509_ALGOR *psigalg;
+    X509_REQ_get0_signature(req,NULL /* no need for signature */,&psigalg);
+    X509_REQ_set0_signature(creq, NULL, X509_ALGOR_dup((X509_ALGOR*)psigalg));
+#else
     creq->sig_alg = X509_ALGOR_dup(req->sig_alg);
+#endif
 
     /* extract the param_challenge, if present */
     idx = X509_REQ_get_attr_by_NID(req, OBJ_sn2nid("challengePassword"), -1);
@@ -1093,6 +1101,11 @@
 {
     ap_hook_pre_config(csr_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_handler(csr_handler, NULL, NULL, APR_HOOK_MIDDLE);
+
+#ifdef HAS_OPENSSL_PR10563_WORK_AROUND
+    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, 
+	"Workaround for OpenSSL/#10563 active; which manipulates openssl-private internals.");
+#endif
 }
 
 module AP_MODULE_DECLARE_DATA csr_module =

Added: mod_csr/trunk/openssl_setter_compat.h
==============================================================================
--- mod_csr/trunk/openssl_setter_compat.h	(added)
+++ mod_csr/trunk/openssl_setter_compat.h	Tue Dec  3 19:25:47 2019
@@ -0,0 +1,64 @@
+/* Licensed to Stichting The Commons Conservancy (TCC) under one or more
+ * contributor license agreements.  See the AUTHORS file distributed with
+ * this work for additional information regarding copyright ownership.
+ * TCC licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// These routines are copies from OpenSSL/1.1.1 its x509/x509_req.c
+// and the private header files for that. They are needed as
+// starting with OpenSSL 1.1.0 the X509_req structure became
+// private; and got some get0 functions to access its internals.
+// But no getter's until post 1.1.1 (PR#10563). So this is a
+// stopgap for these lacking releases.
+//
+// Testest against: 
+//   openssl-1.0.2t 0x01000214fL (does not need it, privates still accessile)
+//   openssl-1.1.0l 0x0101000cfL (needs it)
+//   openssl-1.1.1d 0x01010104fL (last version that needs it)
+//   openssl-1.1.1-dev		 (should not need it - post PR#10563).
+//
+#if OPENSSL_VERSION_NUMBER >= 0x010100000L &&  OPENSSL_VERSION_NUMBER  <= 0x01010104fL
+#include "openssl/x509.h"
+
+#define HAS_OPENSSL_PR10563_WORK_AROUND
+
+struct X509_req_info_st {
+    ASN1_ENCODING enc;          
+    ASN1_INTEGER *version;     
+    X509_NAME *subject;       
+    X509_PUBKEY *pubkey;     
+    STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+
+typedef _Atomic int CRYPTO_REF_COUNT;
+
+struct X509_req_st {
+    X509_REQ_INFO req_info; 
+    X509_ALGOR sig_alg;       
+    ASN1_BIT_STRING *signature; /* signature */
+    CRYPTO_REF_COUNT references;
+    CRYPTO_RWLOCK *lock;
+# ifndef OPENSSL_NO_SM2
+    ASN1_OCTET_STRING *sm2_id;
+# endif
+};
+
+static void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psigOrNull,
+                             X509_ALGOR *palgOrNull)
+{
+    if (psigOrNull != NULL)
+        req->signature = psigOrNull;
+    if (palgOrNull != NULL)
+        req->sig_alg = *palgOrNull;
+}
+#endif

Propchange: mod_csr/trunk/openssl_setter_compat.h
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: mod_csr/trunk/openssl_setter_compat.h
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Rev URL

More information about the rs-commit mailing list