Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/
On Thu, Aug 3, 2017 at 9:25 AM, Ruediger Pluem wrote: > > On 07/30/2017 01:05 AM, yla...@apache.org wrote: >> >> Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff >> == >> --- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original) >> +++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017 >> @@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct >> return APR_EINVAL; >> } >> >> -#if OPENSSL_VERSION_NUMBER < 0x1010L >> +#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) > > Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here? > >> ctx = EVP_MD_CTX_create(); >> #else >> ctx = EVP_MD_CTX_new(); >> @@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct >> ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data, >> sctf->signed_data_len)); >> rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey); >> -#if OPENSSL_VERSION_NUMBER < 0x1010L >> +#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) > > Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here? #including "ssl_private.h" in "ssl_ct_sct.c" doesn't work; the former defines MODSSL_USE_OPENSSL_PRE_1_1 but also APLOG_USE_MODULE(ssl), the latter has AP_DECLARE_MODULE(ssl_ct). There are surely ways to address this, but I don't know how for now... Regards, Yann.
Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/
On Thu, Aug 3, 2017 at 9:34 AM, William A Rowe Jr wrote: > IMO that's garbage, please revert. I don't believe that any ASF project, > which has very firm rules about appropriating code bases, should be > tolerating namespace abuse and mark infringement against other > projects. Not really a technical argument... LibreSSL is a fork, for some reasons (which we don't have to and won't discuss/dispute here) some people decided that OpenSSL (as is/was) didn't suit their needs and forked it (which, AFAICT, isn't forbidden by the OpenSSL license), and for the same or other reasons (whatever), some people decided to use and package it in distros. Thus both projects share code and namespace... > > If they want us to test a symbol in a LIBRESSL space, that's fine, but > OPENSSL namespace was not theirs to begin with. They define LIBRESSL_VERSION, but alas (for us) also OPENSSL_VERSION=2 (I agree that they probably have to change that some day...). Anyway, if we want to support LibreSSL we could check LIBRESSL_VERSION all over the place and have distinct code in mod_ssl for both libs, or do something like this quite simple patch and thanks to most code/namespace reuse have it work with few changes. Do you propose that we don't support LibreSSL for ethical reasons? Regards, Yann.
Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/
IMO that's garbage, please revert. I don't believe that any ASF project, which has very firm rules about appropriating code bases, should be tolerating namespace abuse and mark infringement against other projects. If they want us to test a symbol in a LIBRESSL space, that's fine, but OPENSSL namespace was not theirs to begin with. On Sat, Jul 29, 2017 at 6:05 PM, wrote: > Author: ylavic > Date: Sat Jul 29 23:05:02 2017 > New Revision: 1803396 > > URL: http://svn.apache.org/viewvc?rev=1803396&view=rev > Log: > mod_ssl, ab: compatibility with LibreSSL. PR 61184. > > LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with > all of the latest OpenSSL 1.1 API. > > Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for > anything but OpenSSL >= 1.1 (for now). > > Proposed by: Bernard Spil > Reviewed by: ylavic > > > Modified: > httpd/httpd/trunk/modules/ssl/mod_ssl.c > httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > httpd/httpd/trunk/modules/ssl/ssl_engine_io.c > httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c > httpd/httpd/trunk/modules/ssl/ssl_private.h > httpd/httpd/trunk/modules/ssl/ssl_util.c > httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h > httpd/httpd/trunk/support/ab.c > > Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1803396&r1=1803395&r2=1803396&view=diff > == > --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original) > +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Jul 29 23:05:02 2017 > @@ -354,7 +354,7 @@ static apr_status_t ssl_cleanup_pre_conf > #endif > > /* Usually needed per thread, but this parent process is single-threaded > */ > -#if OPENSSL_VERSION_NUMBER < 0x1010L > +#if MODSSL_USE_OPENSSL_PRE_1_1_API > #if OPENSSL_VERSION_NUMBER >= 0x100fL > ERR_remove_thread_state(NULL); > #else > @@ -398,15 +398,15 @@ static int ssl_hook_pre_config(apr_pool_ > /* Some OpenSSL internals are allocated per-thread, make sure they > * are associated to the/our same thread-id until cleaned up. > */ > -#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x1010L > +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API > ssl_util_thread_id_setup(pconf); > #endif > > /* We must register the library in full, to ensure our configuration > * code can successfully test the SSL environment. > */ > -#if OPENSSL_VERSION_NUMBER < 0x1010L > -CRYPTO_malloc_init(); > +#if MODSSL_USE_OPENSSL_PRE_1_1_API > +(void)CRYPTO_malloc_init(); > #else > OPENSSL_malloc_init(); > #endif > > Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff > == > --- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017 > @@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct > return APR_EINVAL; > } > > -#if OPENSSL_VERSION_NUMBER < 0x1010L > +#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) > ctx = EVP_MD_CTX_create(); > #else > ctx = EVP_MD_CTX_new(); > @@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct > ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data, > sctf->signed_data_len)); > rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey); > -#if OPENSSL_VERSION_NUMBER < 0x1010L > +#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) > EVP_MD_CTX_destroy(ctx); > #else > EVP_MD_CTX_free(ctx); > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1803396&r1=1803395&r2=1803396&view=diff > == > --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Jul 29 23:05:02 2017 > @@ -50,7 +50,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, > #define KEYTYPES "RSA or DSA" > #endif > > -#if OPENSSL_VERSION_NUMBER < 0x1010L > +#if MODSSL_USE_OPENSSL_PRE_1_1_API > /* OpenSSL Pre-1.1.0 compatibility */ > /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ > static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) > @@ -253,7 +253,7 @@ apr_status_t ssl_init_Module(apr_pool_t > #endif > } > > -#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x1010L > +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API > ssl_util_thread_setup(p); > #endif > > @@ -380,7 +38
Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/
On 07/30/2017 01:05 AM, yla...@apache.org wrote: > Author: ylavic > Date: Sat Jul 29 23:05:02 2017 > New Revision: 1803396 > > URL: http://svn.apache.org/viewvc?rev=1803396&view=rev > Log: > mod_ssl, ab: compatibility with LibreSSL. PR 61184. > > LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with > all of the latest OpenSSL 1.1 API. > > Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for > anything but OpenSSL >= 1.1 (for now). > > Proposed by: Bernard Spil > Reviewed by: ylavic > > > Modified: > httpd/httpd/trunk/modules/ssl/mod_ssl.c > httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > httpd/httpd/trunk/modules/ssl/ssl_engine_io.c > httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c > httpd/httpd/trunk/modules/ssl/ssl_private.h > httpd/httpd/trunk/modules/ssl/ssl_util.c > httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h > httpd/httpd/trunk/support/ab.c > > Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff > == > --- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017 > @@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct > return APR_EINVAL; > } > > -#if OPENSSL_VERSION_NUMBER < 0x1010L > +#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here? > ctx = EVP_MD_CTX_create(); > #else > ctx = EVP_MD_CTX_new(); > @@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct > ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data, > sctf->signed_data_len)); > rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey); > -#if OPENSSL_VERSION_NUMBER < 0x1010L > +#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER) Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here? > EVP_MD_CTX_destroy(ctx); > #else > EVP_MD_CTX_free(ctx); > Regards RĂ¼diger