Make it possible to once again compile mod_tls against older versions…

… of OpenSSL.
proftpd · May 31, 2020 · 06df861 · 06df861
1 parent 27822db
commit 06df861
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 2 deletions.
diff --git a/config.h.in b/config.h.in
@@ -1149,6 +1149,10 @@
 /* Define if OpenSSL SSL read ahead support, if available, should be used.  */
 #undef PR_USE_OPENSSL_SSL_READ_AHEAD
 
+/* Define if OpenSSL SSL session ID context set support, if available, should
+   be used.  */
+#undef PR_USE_OPENSSL_SSL_SESSION_SET1_ID_CONTEXT
+
 /* Define if OpenSSL SSL session ticket callback support, if available,
  * should be used.  */
 #undef PR_USE_OPENSSL_SSL_SESSION_TICKET_CALLBACK

diff --git a/configure b/configure
@@ -41766,6 +41766,74 @@ sed 's/^/| /' conftest.$ac_ext >&5
 echo "${ECHO_T}no" >&6; }
 
 
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+  LIBS="$saved_libs"
+
+  { echo "$as_me:$LINENO: checking whether OpenSSL has SSL session ID context set support" >&5
+echo $ECHO_N "checking whether OpenSSL has SSL session ID context set support... $ECHO_C" >&6; }
+  saved_libs="$LIBS"
+
+    LIBS=`echo "$LIBS" | sed -e 's/-lsupp//g'`;
+  LIBS="-lcrypto -lssl $LIBS"
+
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+      #include <openssl/ssl.h>
+
+int
+main ()
+{
+
+      (void) SSL_SESSION_set1_id_context(NULL, NULL, 0);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+      { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define PR_USE_OPENSSL_SSL_SESSION_SET1_ID_CONTEXT 1
+_ACEOF
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+      { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+
+
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \

diff --git a/configure.in b/configure.in
@@ -3612,6 +3612,30 @@ if test x"$pr_use_openssl" = xyes; then
   )
   LIBS="$saved_libs"
 
+  AC_MSG_CHECKING([whether OpenSSL has SSL session ID context set support])
+  saved_libs="$LIBS"
+
+  dnl Splice out -lsupp, since that library hasn't been built yet
+  LIBS=`echo "$LIBS" | sed -e 's/-lsupp//g'`;
+  LIBS="-lcrypto -lssl $LIBS"
+
+  AC_TRY_LINK(
+    [
+      #include <openssl/ssl.h>
+    ],
+    [
+      (void) SSL_SESSION_set1_id_context(NULL, NULL, 0);
+    ],
+    [
+      AC_MSG_RESULT(yes)
+      AC_DEFINE(PR_USE_OPENSSL_SSL_SESSION_SET1_ID_CONTEXT, 1, [Define if your OpenSSL supports setting SSL session ID context])
+    ],
+    [
+      AC_MSG_RESULT(no)
+    ]
+  )
+  LIBS="$saved_libs"
+
   AC_MSG_CHECKING([whether OpenSSL has SSL session ticket callback support])
   saved_libs="$LIBS"
 

diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
@@ -16223,15 +16223,16 @@ static int tls_ssl_set_psks(SSL *ssl) {
 }
 
 static int tls_ssl_set_options(SSL *ssl) {
-  SSL_clear_options(ssl, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
-  SSL_clear_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
 
 #if OPENSSL_VERSION_NUMBER > 0x009080cfL
+  SSL_clear_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
   /* The OpenSSL team realized that the flag added in 0.9.8l, the
    * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag, was a bad idea.
    * So in later versions, it was changed to a context flag,
    * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
    */
+  SSL_clear_options(ssl, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
   if (tls_opts & TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS) {
     int ssl_opts;
 
@@ -16346,7 +16347,9 @@ static int tls_ssl_set_protocol(server_rec *s, SSL *ssl) {
    * This is more convoluted than it should be, because of the expression
    * of enabled protocol versions via OP_NO_ negations, and bitmasking.
    */
+#if OPENSSL_VERSION_NUMBER > 0x000908000L
   SSL_clear_options(ssl, all_proto|disabled_proto);
+#endif
   SSL_set_options(ssl, disabled_proto);
 
   return 0;
@@ -16422,6 +16425,7 @@ static int tls_ssl_set_session_id_context(server_rec *s, SSL *ssl) {
     sizeof(s->sid), ssl);
   SSL_set_session_id_context(ssl, (unsigned char *) &(s->sid), sizeof(s->sid));
 
+#if defined(PR_USE_OPENSSL_SSL_SESSION_SET1_ID_CONTEXT)
   sess = SSL_get_session(ssl);
   if (sess != NULL) {
     pr_trace_msg(trace_channel, 19,
@@ -16430,6 +16434,7 @@ static int tls_ssl_set_session_id_context(server_rec *s, SSL *ssl) {
     SSL_SESSION_set1_id_context(sess, (unsigned char *) &(s->sid),
       sizeof(s->sid));
   }
+#endif
 
   return 0;
 }
@@ -16675,11 +16680,13 @@ static int tls_ssl_set_all(server_rec *s, SSL *ssl) {
     return -1;
   }
 
+#if OPENSSL_VERSION_NUMBER > 0x009080cfL
   /* Note that it is important that we update the SSL with the new SSL_CTX
    * AFTER it has been provisioned.  That way, the new/changed certs in the
    * SSL_CTX will be properly copied/updated in the SSL object.
    */
   ctx = SSL_set_SSL_CTX(ssl, ctx);
+#endif
 
   if (ssl_ctx != NULL) {
     /* Try not to leak memory. */
@@ -17609,7 +17616,9 @@ static int tls_ctx_set_protocol(server_rec *s, SSL_CTX *ctx) {
    * This is more convoluted than it should be, because of the expression
    * of enabled protocol versions via OP_NO_ negations, and bitmasking.
    */
+#if OPENSSL_VERSION_NUMBER > 0x009080cfL
   SSL_CTX_clear_options(ctx, all_proto|disabled_proto);
+#endif
   SSL_CTX_set_options(ctx, disabled_proto);
 
   return 0;