--- /dev/null
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -328,6 +328,7 @@ static int modssl_is_prelinked(void)
+
+ static apr_status_t ssl_cleanup_pre_config(void *data)
+ {
++#if MODSSL_USE_OPENSSL_PRE_1_1_API
+ /*
+ * Try to kill the internals of the SSL library.
+ */
+@@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
+ #if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+ #ifndef OPENSSL_NO_COMP
+ SSL_COMP_free_compression_methods();
+-#endif
+ #endif
+
+ /* Usually needed per thread, but this parent process is single-threaded */
+-#if MODSSL_USE_OPENSSL_PRE_1_1_API
+ #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+ ERR_remove_thread_state(NULL);
+ #else
+@@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
+ * (when enabled) at this late stage in the game:
+ * CRYPTO_mem_leaks_fp(stderr);
+ */
++#endif
+ return APR_SUCCESS;
+ }
+
+@@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
+ #else
+ OPENSSL_malloc_init();
+ #endif
++#if MODSSL_USE_OPENSSL_PRE_1_1_API
+ ERR_load_crypto_strings();
+ SSL_load_error_strings();
+ SSL_library_init();
++ OpenSSL_add_all_algorithms();
++ OPENSSL_load_builtin_modules();
++#endif
+ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+ ENGINE_load_builtin_engines();
+ #endif
+- OpenSSL_add_all_algorithms();
+- OPENSSL_load_builtin_modules();
+
+ if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
+ (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+
+ return 1;
+ }
++
++#define OpenSSL_version_num SSLeay
+ #endif
+
+ /*
+@@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+ apr_status_t rv;
+ apr_array_header_t *pphrases;
+
+- if (SSLeay() < MODSSL_LIBRARY_VERSION) {
++ if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
+ "Init: this version of mod_ssl was compiled against "
+ "a newer library (%s, version currently loaded is %s)"
+--- a/modules/ssl/ssl_engine_io.c
++++ b/modules/ssl/ssl_engine_io.c
+@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
+ if (dc->proxy->ssl_check_peer_expire != FALSE) {
+ if (!cert
+ || (X509_cmp_current_time(
+- X509_get_notBefore(cert)) >= 0)
++ X509_get0_notBefore(cert)) >= 0)
+ || (X509_cmp_current_time(
+- X509_get_notAfter(cert)) <= 0)) {
++ X509_get0_notAfter(cert)) <= 0)) {
+ proxy_ssl_check_peer_ok = FALSE;
+ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004)
+ "SSL Proxy: Peer certificate is expired");
+--- a/modules/ssl/ssl_engine_log.c
++++ b/modules/ssl/ssl_engine_log.c
+@@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level,
+ BIO_puts(bio, "(ERROR)");
+
+ BIO_puts(bio, " / notbefore: ");
+- ASN1_TIME_print(bio, X509_get_notBefore(cert));
++ ASN1_TIME_print(bio, X509_get0_notBefore(cert));
+
+ BIO_puts(bio, " / notafter: ");
+- ASN1_TIME_print(bio, X509_get_notAfter(cert));
++ ASN1_TIME_print(bio, X509_get0_notAfter(cert));
+
+ BIO_puts(bio, "]");
+
+--- a/modules/ssl/ssl_engine_vars.c
++++ b/modules/ssl/ssl_engine_vars.c
+@@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
+ result = ssl_var_lookup_ssl_cert_serial(p, xs);
+ }
+ else if (strcEQ(var, "V_START")) {
+- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs));
++ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs));
+ }
+ else if (strcEQ(var, "V_END")) {
+- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs));
++ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs));
+ }
+ else if (strcEQ(var, "V_REMAIN")) {
+- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
++ result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs));
+ resdup = FALSE;
+ }
+ else if (*var && strcEQ(var+1, "_DN")) {
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -92,6 +92,8 @@
+ #include <openssl/x509.h>
+ #include <openssl/pem.h>
+ #include <openssl/crypto.h>
++#include <openssl/bn.h>
++#include <openssl/dh.h>
+ #include <openssl/evp.h>
+ #include <openssl/rand.h>
+ #include <openssl/x509v3.h>
+@@ -234,6 +236,10 @@
+ #define BIO_get_shutdown(x) (x->shutdown)
+ #define BIO_set_shutdown(x,v) (x->shutdown=v)
+ #define DH_bits(x) (BN_num_bits(x->p))
++#define X509_get0_notBefore X509_get_notBefore
++#define X509_get0_notAfter X509_get_notAfter
++#define X509_getm_notBefore X509_get_notBefore
++#define X509_getm_notAfter X509_get_notAfter
+ #else
+ void init_bio_methods(void);
+ void free_bio_methods(void);
+--- a/support/ab.c
++++ b/support/ab.c
+@@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
+ #define SSL_CTX_set_max_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define X509_get0_notBefore X509_get_notBefore
++#define X509_get0_notAfter X509_get_notAfter
++#endif
+ #endif
+
+ #include <math.h>
+@@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert)
+
+ BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1);
+ BIO_printf(bio,"Valid from: ");
+- ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
++ ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert));
+ BIO_printf(bio,"\n");
+
+ BIO_printf(bio,"Valid to : ");
+- ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
++ ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert));
+ BIO_printf(bio,"\n");
+
+ pk = X509_get_pubkey(cert);
+@@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[])
+ CRYPTO_malloc_init();
+ #endif
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_load_error_strings();
+ SSL_library_init();
++#endif
+ bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
+ bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
git.99rst.org / openwrt-packages.git / commitdiff