From 57b10de2c074f01cd7a62a46fb2b471f3f64c42d Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Mon, 10 Aug 2020 13:44:25 -0700 Subject: [PATCH] apache: fix compilation without deprecated OpenSSL APIs Signed-off-by: Rosen Penev --- net/apache/Makefile | 2 +- .../patches/020-openssl-deprecated.patch | 129 ++++++++++++++++++ 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 net/apache/patches/020-openssl-deprecated.patch diff --git a/net/apache/Makefile b/net/apache/Makefile index 5f80646c8..963a033f3 100644 --- a/net/apache/Makefile +++ b/net/apache/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=apache PKG_VERSION:=2.4.46 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_NAME:=httpd PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2 diff --git a/net/apache/patches/020-openssl-deprecated.patch b/net/apache/patches/020-openssl-deprecated.patch new file mode 100644 index 000000000..c9794384e --- /dev/null +++ b/net/apache/patches/020-openssl-deprecated.patch @@ -0,0 +1,129 @@ +--- a/modules/md/md_crypt.c ++++ b/modules/md/md_crypt.c +@@ -708,23 +708,23 @@ const char *md_cert_get_serial_number(const md_cert_t *cert, apr_pool_t *p) + + int md_cert_is_valid_now(const md_cert_t *cert) + { +- return ((X509_cmp_current_time(X509_get_notBefore(cert->x509)) < 0) +- && (X509_cmp_current_time(X509_get_notAfter(cert->x509)) > 0)); ++ return ((X509_cmp_current_time(X509_get0_notBefore(cert->x509)) < 0) ++ && (X509_cmp_current_time(X509_get0_notAfter(cert->x509)) > 0)); + } + + int md_cert_has_expired(const md_cert_t *cert) + { +- return (X509_cmp_current_time(X509_get_notAfter(cert->x509)) <= 0); ++ return (X509_cmp_current_time(X509_get0_notAfter(cert->x509)) <= 0); + } + + apr_time_t md_cert_get_not_after(const md_cert_t *cert) + { +- return md_asn1_time_get(X509_get_notAfter(cert->x509)); ++ return md_asn1_time_get(X509_get0_notAfter(cert->x509)); + } + + apr_time_t md_cert_get_not_before(const md_cert_t *cert) + { +- return md_asn1_time_get(X509_get_notBefore(cert->x509)); ++ return md_asn1_time_get(X509_get0_notBefore(cert->x509)); + } + + int md_cert_covers_domain(md_cert_t *cert, const char *domain_name) +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -226,7 +226,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + apr_status_t rv; + apr_array_header_t *pphrases; + +- if (SSLeay() < MODSSL_LIBRARY_VERSION) { ++ if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882) + "Init: this version of mod_ssl was compiled against " + "a newer library (%s, version currently loaded is %s)" +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) + if (dc->proxy->ssl_check_peer_expire != FALSE) { + if (!cert + || (X509_cmp_current_time( +- X509_get_notBefore(cert)) >= 0) ++ X509_get0_notBefore(cert)) >= 0) + || (X509_cmp_current_time( +- X509_get_notAfter(cert)) <= 0)) { ++ X509_get0_notAfter(cert)) <= 0)) { + proxy_ssl_check_peer_ok = FALSE; + ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004) + "SSL Proxy: Peer certificate is expired"); +--- a/modules/ssl/ssl_engine_log.c ++++ b/modules/ssl/ssl_engine_log.c +@@ -161,10 +161,10 @@ static void ssl_log_cert_error(const char *file, int line, int level, + BIO_puts(bio, "(ERROR)"); + + BIO_puts(bio, " / notbefore: "); +- ASN1_TIME_print(bio, X509_get_notBefore(cert)); ++ ASN1_TIME_print(bio, X509_get0_notBefore(cert)); + + BIO_puts(bio, " / notafter: "); +- ASN1_TIME_print(bio, X509_get_notAfter(cert)); ++ ASN1_TIME_print(bio, X509_get0_notAfter(cert)); + + BIO_puts(bio, "]"); + +--- a/modules/ssl/ssl_engine_vars.c ++++ b/modules/ssl/ssl_engine_vars.c +@@ -490,13 +490,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, + result = ssl_var_lookup_ssl_cert_serial(p, xs); + } + else if (strcEQ(var, "V_START")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notBefore(xs)); + } + else if (strcEQ(var, "V_END")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notAfter(xs)); + } + else if (strcEQ(var, "V_REMAIN")) { +- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_remain(p, X509_get0_notAfter(xs)); + resdup = FALSE; + } + else if (*var && strcEQ(var+1, "_DN")) { +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -98,6 +98,9 @@ + #include + #include + #include ++#include ++#include ++#include + + /* Avoid tripping over an engine build installed globally and detected + * when the user points at an explicit non-engine flavor of OpenSSL +--- a/support/ab.c ++++ b/support/ab.c +@@ -652,11 +652,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert) + + BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1); + BIO_printf(bio,"Valid from: "); +- ASN1_UTCTIME_print(bio, X509_get_notBefore(cert)); ++ ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert)); + BIO_printf(bio,"\n"); + + BIO_printf(bio,"Valid to : "); +- ASN1_UTCTIME_print(bio, X509_get_notAfter(cert)); ++ ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert)); + BIO_printf(bio,"\n"); + + pk = X509_get_pubkey(cert); +@@ -2634,8 +2634,10 @@ int main(int argc, const char * const argv[]) + CRYPTO_malloc_init(); + #endif + #endif ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_load_error_strings(); + SSL_library_init(); ++#endif + bio_out=BIO_new_fp(stdout,BIO_NOCLOSE); + bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); +