William A. Rowe, Jr. wrote:
> httpd was patched for httpd -v some time ago to report both the compiled
> and loaded versions of apr[-util].
>
> I'd like to get this into trunk/2.2/2.0 similarly for openssl.
>
> It's very common for users to hotfix openssl for security vulnerabilities,
> but the apache error log remains 'scary' to auditors and administrators...
>
> [Tue Mar 20 15:54:21 2007] [notice] Apache/2.0.59 (Unix) DAV/2
> CovalentSNMP/3.0.
> 3 mod_jk/1.2.18 mod_ssl/2.0.59 OpenSSL/0.9.7i PHP/4.4.4 mod_perl/1.999.21
> Perl/v
> 5.8.8 configured -- resuming normal operations
> [Tue Mar 20 15:59:51 2007] [info] Server: Apache/2.0.59, Interface:
> mod_ssl/2.0.
> 59, Library: OpenSSL/0.9.7i
After looking at the code, I see we shifted to the (OpenSSL only breaking
SSL-C toolkit support) SSLeay_version a while back, but it's still not
sufficient IMHO. I'm proposing the attached patches which
*) adds compile-time/run time SSL-C version support
*) simplify a ton of overly-verbose legacy code
*) split the compiled-against v.s. runtime library
*) precache the results of the version string touchup
Patches to trunk/2.2/2.0 attached - comments (or votes) please?
Bill
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 507951)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -34,42 +34,21 @@
** _________________________________________________________________
*/
-static char *ssl_add_version_component(apr_pool_t *p,
- server_rec *s,
- char *name)
-{
- char *val = ssl_var_lookup(p, s, NULL, NULL, name);
- if (val && *val) {
- ap_add_version_component(p, val);
- }
-
- return val;
-}
-
-static char *version_components[] = {
- "SSL_VERSION_PRODUCT",
- "SSL_VERSION_INTERFACE",
- "SSL_VERSION_LIBRARY",
- NULL
-};
-
static void ssl_add_version_components(apr_pool_t *p,
server_rec *s)
{
- char *vals[sizeof(version_components)/sizeof(char *)];
- int i;
+ char *modver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE");
+ char *libver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY");
+ char *incver = ssl_var_lookup(p, s, NULL, NULL,
+ "SSL_VERSION_LIBRARY_INTERFACE");
- for (i=0; version_components[i]; i++) {
- vals[i] = ssl_add_version_component(p, s,
- version_components[i]);
- }
+ ap_add_version_component(p, modver);
+ ap_add_version_component(p, libver);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Server: %s, Interface: %s, Library: %s",
- AP_SERVER_BASEVERSION,
- vals[1], /* SSL_VERSION_INTERFACE */
- vals[2]); /* SSL_VERSION_LIBRARY */
+ "%s compiled against Server: %s, Library: %s",
+ modver, AP_SERVER_BASEVERSION, incver);
}
Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c (revision 507951)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -569,32 +569,42 @@
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
{
+ static char interface[] = "mod_ssl/" MOD_SSL_VERSION;
+ static char library_interface[] = SSL_LIBRARY_TEXT;
+ static char *library = NULL;
char *result;
- char *cp, *cp2;
-
- result = NULL;
-
- if (strEQ(var, "PRODUCT")) {
-#if defined(SSL_PRODUCT_NAME) && defined(SSL_PRODUCT_VERSION)
- result = apr_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION);
-#else
- result = NULL;
-#endif
- }
- else if (strEQ(var, "INTERFACE")) {
- result = apr_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
- }
- else if (strEQ(var, "LIBRARY")) {
- result = apr_pstrdup(p, SSLeay_version(SSLEAY_VERSION));
- if ((cp = strchr(result, ' ')) != NULL) {
+
+ if (!library) {
+ char *cp, *cp2;
+ library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT);
+ if ((cp = strchr(library, ' ')) != NULL) {
*cp = '/';
if ((cp2 = strchr(cp, ' ')) != NULL)
*cp2 = NUL;
}
+ if ((cp = strchr(library_interface, ' ')) != NULL) {
+ *cp = '/';
+ if ((cp2 = strchr(cp, ' ')) != NULL)
+ *cp2 = NUL;
+ }
}
+
+ if (strEQ(var, "INTERFACE")) {
+ result = apr_pstrdup(p, interface);
+ }
+ else if (strEQ(var, "LIBRARY_INTERFACE")) {
+ result = apr_pstrdup(p, library_interface);
+ }
+ else if (strEQ(var, "LIBRARY")) {
+ result = apr_pstrdup(p, library);
+ }
+ else {
+ result = NULL;
+ }
return result;
}
+
/* _________________________________________________________________
**
** SSL Extension to mod_log_config
Index: modules/ssl/ssl_util_ssl.h
===================================================================
--- modules/ssl/ssl_util_ssl.h (revision 507951)
+++ modules/ssl/ssl_util_ssl.h (working copy)
@@ -30,14 +30,27 @@
/*
* Determine SSL library version number
*/
+#define SSL_NIBBLE(x,n) ((x >> (n * 4)) & 0xF)
+
#ifdef OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_NAME "OpenSSL"
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
+#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
+#elif defined(SSLC_VERSION_NUMBER)
+#define SSL_LIBRARY_VERSION SSLC_VERSION_NUMBER
+#define SSL_LIBRARY_NAME "SSL-C"
+#define SSL_LIBRARY_TEXT { 'S', 'S', 'L', '-', 'C', ' ', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,3), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,2), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,1), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,0), 0 }
+#define SSL_LIBRARY_DYNTEXT SSLC_library_info(SSLC_INFO_VERSION)
#elif !defined(SSL_LIBRARY_VERSION)
#define SSL_LIBRARY_VERSION 0x0000
#define SSL_LIBRARY_NAME "OtherSSL"
#define SSL_LIBRARY_TEXT "OtherSSL 0.0.0 00 XXX 0000"
+#define SSL_LIBRARY_DYNTEXT "OtherSSL 0.0.0 00 XXX 0000"
#endif
/*
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 507951)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -34,42 +34,21 @@
** _________________________________________________________________
*/
-static char *ssl_add_version_component(apr_pool_t *p,
- server_rec *s,
- char *name)
-{
- char *val = ssl_var_lookup(p, s, NULL, NULL, name);
- if (val && *val) {
- ap_add_version_component(p, val);
- }
-
- return val;
-}
-
-static char *version_components[] = {
- "SSL_VERSION_PRODUCT",
- "SSL_VERSION_INTERFACE",
- "SSL_VERSION_LIBRARY",
- NULL
-};
-
static void ssl_add_version_components(apr_pool_t *p,
server_rec *s)
{
- char *vals[sizeof(version_components)/sizeof(char *)];
- int i;
+ char *modver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE");
+ char *libver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY");
+ char *incver = ssl_var_lookup(p, s, NULL, NULL,
+ "SSL_VERSION_LIBRARY_INTERFACE");
- for (i=0; version_components[i]; i++) {
- vals[i] = ssl_add_version_component(p, s,
- version_components[i]);
- }
+ ap_add_version_component(p, modver);
+ ap_add_version_component(p, libver);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Server: %s, Interface: %s, Library: %s",
- AP_SERVER_BASEVERSION,
- vals[1], /* SSL_VERSION_INTERFACE */
- vals[2]); /* SSL_VERSION_LIBRARY */
+ "%s compiled against Server: %s, Library: %s",
+ modver, AP_SERVER_BASEVERSION, incver);
}
Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c (revision 507951)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -635,31 +635,41 @@
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
{
+ static char interface[] = "mod_ssl/" MOD_SSL_VERSION;
+ static char library_interface[] = SSL_LIBRARY_TEXT;
+ static char *library = NULL;
char *result;
- char *cp, *cp2;
-
- result = NULL;
-
- if (strEQ(var, "PRODUCT")) {
-#if defined(SSL_PRODUCT_NAME) && defined(SSL_PRODUCT_VERSION)
- result = apr_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION);
-#else
- result = NULL;
-#endif
- }
- else if (strEQ(var, "INTERFACE")) {
- result = apr_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
- }
- else if (strEQ(var, "LIBRARY")) {
- result = apr_pstrdup(p, SSLeay_version(SSLEAY_VERSION));
- if ((cp = strchr(result, ' ')) != NULL) {
+
+ if (!library) {
+ char *cp, *cp2;
+ library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT);
+ if ((cp = strchr(library, ' ')) != NULL) {
*cp = '/';
if ((cp2 = strchr(cp, ' ')) != NULL)
*cp2 = NUL;
}
+ if ((cp = strchr(library_interface, ' ')) != NULL) {
+ *cp = '/';
+ if ((cp2 = strchr(cp, ' ')) != NULL)
+ *cp2 = NUL;
+ }
}
+
+ if (strEQ(var, "INTERFACE")) {
+ result = apr_pstrdup(p, interface);
+ }
+ else if (strEQ(var, "LIBRARY_INTERFACE")) {
+ result = apr_pstrdup(p, library_interface);
+ }
+ else if (strEQ(var, "LIBRARY")) {
+ result = apr_pstrdup(p, library);
+ }
+ else {
+ result = NULL;
+ }
return result;
}
+
const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
const char *oidnum)
Index: modules/ssl/ssl_util_ssl.h
===================================================================
--- modules/ssl/ssl_util_ssl.h (revision 507951)
+++ modules/ssl/ssl_util_ssl.h (working copy)
@@ -37,14 +37,27 @@
/**
* Determine SSL library version number
*/
+#define SSL_NIBBLE(x,n) ((x >> (n * 4)) & 0xF)
+
#ifdef OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_NAME "OpenSSL"
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
+#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
+#elif defined(SSLC_VERSION_NUMBER)
+#define SSL_LIBRARY_VERSION SSLC_VERSION_NUMBER
+#define SSL_LIBRARY_NAME "SSL-C"
+#define SSL_LIBRARY_TEXT { 'S', 'S', 'L', '-', 'C', ' ', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,3), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,2), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,1), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,0), 0 }
+#define SSL_LIBRARY_DYNTEXT SSLC_library_info(SSLC_INFO_VERSION)
#elif !defined(SSL_LIBRARY_VERSION)
#define SSL_LIBRARY_VERSION 0x0000
#define SSL_LIBRARY_NAME "OtherSSL"
#define SSL_LIBRARY_TEXT "OtherSSL 0.0.0 00 XXX 0000"
+#define SSL_LIBRARY_DYNTEXT "OtherSSL 0.0.0 00 XXX 0000"
#endif
/**
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 507951)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -34,42 +34,21 @@
** _________________________________________________________________
*/
-static char *ssl_add_version_component(apr_pool_t *p,
- server_rec *s,
- char *name)
-{
- char *val = ssl_var_lookup(p, s, NULL, NULL, name);
- if (val && *val) {
- ap_add_version_component(p, val);
- }
-
- return val;
-}
-
-static char *version_components[] = {
- "SSL_VERSION_PRODUCT",
- "SSL_VERSION_INTERFACE",
- "SSL_VERSION_LIBRARY",
- NULL
-};
-
static void ssl_add_version_components(apr_pool_t *p,
server_rec *s)
{
- char *vals[sizeof(version_components)/sizeof(char *)];
- int i;
+ char *modver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE");
+ char *libver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY");
+ char *incver = ssl_var_lookup(p, s, NULL, NULL,
+ "SSL_VERSION_LIBRARY_INTERFACE");
- for (i=0; version_components[i]; i++) {
- vals[i] = ssl_add_version_component(p, s,
- version_components[i]);
- }
+ ap_add_version_component(p, modver);
+ ap_add_version_component(p, libver);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Server: %s, Interface: %s, Library: %s",
- AP_SERVER_BASEVERSION,
- vals[1], /* SSL_VERSION_INTERFACE */
- vals[2]); /* SSL_VERSION_LIBRARY */
+ "%s compiled against Server: %s, Library: %s",
+ modver, AP_SERVER_BASEVERSION, incver);
}
Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c (revision 507951)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -635,31 +635,41 @@
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
{
+ static char interface[] = "mod_ssl/" MOD_SSL_VERSION;
+ static char library_interface[] = SSL_LIBRARY_TEXT;
+ static char *library = NULL;
char *result;
- char *cp, *cp2;
-
- result = NULL;
-
- if (strEQ(var, "PRODUCT")) {
-#if defined(SSL_PRODUCT_NAME) && defined(SSL_PRODUCT_VERSION)
- result = apr_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION);
-#else
- result = NULL;
-#endif
- }
- else if (strEQ(var, "INTERFACE")) {
- result = apr_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
- }
- else if (strEQ(var, "LIBRARY")) {
- result = apr_pstrdup(p, SSLeay_version(SSLEAY_VERSION));
- if ((cp = strchr(result, ' ')) != NULL) {
+
+ if (!library) {
+ char *cp, *cp2;
+ library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT);
+ if ((cp = strchr(library, ' ')) != NULL) {
*cp = '/';
if ((cp2 = strchr(cp, ' ')) != NULL)
*cp2 = NUL;
}
+ if ((cp = strchr(library_interface, ' ')) != NULL) {
+ *cp = '/';
+ if ((cp2 = strchr(cp, ' ')) != NULL)
+ *cp2 = NUL;
+ }
}
+
+ if (strEQ(var, "INTERFACE")) {
+ result = apr_pstrdup(p, interface);
+ }
+ else if (strEQ(var, "LIBRARY_INTERFACE")) {
+ result = apr_pstrdup(p, library_interface);
+ }
+ else if (strEQ(var, "LIBRARY")) {
+ result = apr_pstrdup(p, library);
+ }
+ else {
+ result = NULL;
+ }
return result;
}
+
apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
const char *extension)
Index: modules/ssl/ssl_util_ssl.h
===================================================================
--- modules/ssl/ssl_util_ssl.h (revision 507951)
+++ modules/ssl/ssl_util_ssl.h (working copy)
@@ -37,14 +37,27 @@
/**
* Determine SSL library version number
*/
+#define SSL_NIBBLE(x,n) ((x >> (n * 4)) & 0xF)
+
#ifdef OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_NAME "OpenSSL"
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
+#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
+#elif defined(SSLC_VERSION_NUMBER)
+#define SSL_LIBRARY_VERSION SSLC_VERSION_NUMBER
+#define SSL_LIBRARY_NAME "SSL-C"
+#define SSL_LIBRARY_TEXT { 'S', 'S', 'L', '-', 'C', ' ', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,3), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,2), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,1), '.', \
+ '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,0), 0 }
+#define SSL_LIBRARY_DYNTEXT SSLC_library_info(SSLC_INFO_VERSION)
#elif !defined(SSL_LIBRARY_VERSION)
#define SSL_LIBRARY_VERSION 0x0000
#define SSL_LIBRARY_NAME "OtherSSL"
#define SSL_LIBRARY_TEXT "OtherSSL 0.0.0 00 XXX 0000"
+#define SSL_LIBRARY_DYNTEXT "OtherSSL 0.0.0 00 XXX 0000"
#endif
/**
