Browse Source
Merge pull request #10031 from neheb/htt
apache: fix compilation without deprecated OpenSSL APIslilik-openwrt-22.03
Rosen Penev
4 years ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 177 additions and 0 deletions
Split View
Diff Options
+ 177
- 0
net/apache/patches/020-openssl-deprecated.patch
View File
| @ -0,0 +1,177 @@ | |||
| --- a/modules/ssl/mod_ssl.c | |||
| +++ b/modules/ssl/mod_ssl.c | |||
| @@ -328,6 +328,7 @@ static int modssl_is_prelinked(void) | |||
| static apr_status_t ssl_cleanup_pre_config(void *data) | |||
| { | |||
| +#if MODSSL_USE_OPENSSL_PRE_1_1_API | |||
| /* | |||
| * Try to kill the internals of the SSL library. | |||
| */ | |||
| @@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data) | |||
| #if OPENSSL_VERSION_NUMBER >= 0x1000200fL | |||
| #ifndef OPENSSL_NO_COMP | |||
| SSL_COMP_free_compression_methods(); | |||
| -#endif | |||
| #endif | |||
| /* Usually needed per thread, but this parent process is single-threaded */ | |||
| -#if MODSSL_USE_OPENSSL_PRE_1_1_API | |||
| #if OPENSSL_VERSION_NUMBER >= 0x1000000fL | |||
| ERR_remove_thread_state(NULL); | |||
| #else | |||
| @@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data) | |||
| * (when enabled) at this late stage in the game: | |||
| * CRYPTO_mem_leaks_fp(stderr); | |||
| */ | |||
| +#endif | |||
| return APR_SUCCESS; | |||
| } | |||
| @@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, | |||
| #else | |||
| OPENSSL_malloc_init(); | |||
| #endif | |||
| +#if MODSSL_USE_OPENSSL_PRE_1_1_API | |||
| ERR_load_crypto_strings(); | |||
| SSL_load_error_strings(); | |||
| SSL_library_init(); | |||
| + OpenSSL_add_all_algorithms(); | |||
| + OPENSSL_load_builtin_modules(); | |||
| +#endif | |||
| #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES | |||
| ENGINE_load_builtin_engines(); | |||
| #endif | |||
| - OpenSSL_add_all_algorithms(); | |||
| - OPENSSL_load_builtin_modules(); | |||
| if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { | |||
| (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", | |||
| --- a/modules/ssl/ssl_engine_init.c | |||
| +++ b/modules/ssl/ssl_engine_init.c | |||
| @@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) | |||
| return 1; | |||
| } | |||
| + | |||
| +#define OpenSSL_version_num SSLeay | |||
| #endif | |||
| /* | |||
| @@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, | |||
| apr_status_t rv; | |||
| apr_array_header_t *pphrases; | |||
| - if (SSLeay() < MODSSL_LIBRARY_VERSION) { | |||
| + if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) { | |||
| ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882) | |||
| "Init: this version of mod_ssl was compiled against " | |||
| "a newer library (%s, version currently loaded is %s)" | |||
| --- a/modules/ssl/ssl_engine_io.c | |||
| +++ b/modules/ssl/ssl_engine_io.c | |||
| @@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) | |||
| if (dc->proxy->ssl_check_peer_expire != FALSE) { | |||
| if (!cert | |||
| || (X509_cmp_current_time( | |||
| - X509_get_notBefore(cert)) >= 0) | |||
| + X509_get0_notBefore(cert)) >= 0) | |||
| || (X509_cmp_current_time( | |||
| - X509_get_notAfter(cert)) <= 0)) { | |||
| + X509_get0_notAfter(cert)) <= 0)) { | |||
| proxy_ssl_check_peer_ok = FALSE; | |||
| ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004) | |||
| "SSL Proxy: Peer certificate is expired"); | |||
| --- a/modules/ssl/ssl_engine_log.c | |||
| +++ b/modules/ssl/ssl_engine_log.c | |||
| @@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level, | |||
| BIO_puts(bio, "(ERROR)"); | |||
| BIO_puts(bio, " / notbefore: "); | |||
| - ASN1_TIME_print(bio, X509_get_notBefore(cert)); | |||
| + ASN1_TIME_print(bio, X509_get0_notBefore(cert)); | |||
| BIO_puts(bio, " / notafter: "); | |||
| - ASN1_TIME_print(bio, X509_get_notAfter(cert)); | |||
| + ASN1_TIME_print(bio, X509_get0_notAfter(cert)); | |||
| BIO_puts(bio, "]"); | |||
| --- a/modules/ssl/ssl_engine_vars.c | |||
| +++ b/modules/ssl/ssl_engine_vars.c | |||
| @@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, | |||
| result = ssl_var_lookup_ssl_cert_serial(p, xs); | |||
| } | |||
| else if (strcEQ(var, "V_START")) { | |||
| - result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs)); | |||
| + result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs)); | |||
| } | |||
| else if (strcEQ(var, "V_END")) { | |||
| - result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); | |||
| + result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs)); | |||
| } | |||
| else if (strcEQ(var, "V_REMAIN")) { | |||
| - result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); | |||
| + result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs)); | |||
| resdup = FALSE; | |||
| } | |||
| else if (*var && strcEQ(var+1, "_DN")) { | |||
| --- a/modules/ssl/ssl_private.h | |||
| +++ b/modules/ssl/ssl_private.h | |||
| @@ -92,6 +92,8 @@ | |||
| #include <openssl/x509.h> | |||
| #include <openssl/pem.h> | |||
| #include <openssl/crypto.h> | |||
| +#include <openssl/bn.h> | |||
| +#include <openssl/dh.h> | |||
| #include <openssl/evp.h> | |||
| #include <openssl/rand.h> | |||
| #include <openssl/x509v3.h> | |||
| @@ -234,6 +236,10 @@ | |||
| #define BIO_get_shutdown(x) (x->shutdown) | |||
| #define BIO_set_shutdown(x,v) (x->shutdown=v) | |||
| #define DH_bits(x) (BN_num_bits(x->p)) | |||
| +#define X509_get0_notBefore X509_get_notBefore | |||
| +#define X509_get0_notAfter X509_get_notAfter | |||
| +#define X509_getm_notBefore X509_get_notBefore | |||
| +#define X509_getm_notAfter X509_get_notAfter | |||
| #else | |||
| void init_bio_methods(void); | |||
| void free_bio_methods(void); | |||
| --- a/support/ab.c | |||
| +++ b/support/ab.c | |||
| @@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE; | |||
| #define SSL_CTX_set_max_proto_version(ctx, version) \ | |||
| SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) | |||
| #endif | |||
| +#if OPENSSL_VERSION_NUMBER < 0x10100000L | |||
| +#define X509_get0_notBefore X509_get_notBefore | |||
| +#define X509_get0_notAfter X509_get_notAfter | |||
| +#endif | |||
| #endif | |||
| #include <math.h> | |||
| @@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert) | |||
| BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1); | |||
| BIO_printf(bio,"Valid from: "); | |||
| - ASN1_UTCTIME_print(bio, X509_get_notBefore(cert)); | |||
| + ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert)); | |||
| BIO_printf(bio,"\n"); | |||
| BIO_printf(bio,"Valid to : "); | |||
| - ASN1_UTCTIME_print(bio, X509_get_notAfter(cert)); | |||
| + ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert)); | |||
| BIO_printf(bio,"\n"); | |||
| pk = X509_get_pubkey(cert); | |||
| @@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[]) | |||
| CRYPTO_malloc_init(); | |||
| #endif | |||
| #endif | |||
| +#if OPENSSL_VERSION_NUMBER < 0x10100000L | |||
| SSL_load_error_strings(); | |||
| SSL_library_init(); | |||
| +#endif | |||
| bio_out=BIO_new_fp(stdout,BIO_NOCLOSE); | |||
| bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); | |||